Re: Security Vendor Bypasses Microsoft's Vista PatchGuard

["John LaCour" <johnlacour () gmail com>]

Actually the kernel hooking issues are about AV and AS as well.

When I was with an AV/AS vendor, an extraordinate amount of effort
was spent on protecting the software itself against attacks
such as hosts file writing, registry key removing, binary tampering,
file system permission tampering, keyboard stuffers, mouse movers,
etc. etc.

The reason kernel hooking is an issue is that in order for an AV or AS
to adequately protect itself from being disabled by malware, it has to
hook
the kernel to do so.

As a side note, most of these attacks would fail were it not for user
accounts running with administrator privs in the typical home setup.

-John



On 10/25/06, Larry Seltzer <Larry () larryseltzer com> wrote:
> >>How come sophos isnt concerned about not having access to the kernel?
>
> The kernel-hooking issues are about host intrusion prevention, not AV or
> AS specifically. You can use filter drivers to monitor and block
> anything going into and out of the system, on files or the network or
> whatever. But by hooking kernel calls you can detect and block attacks
> from programs that have already gotten on to the system and executed,
> even at a privileged level.
>
> Perhaps Sophos has no such capabilities in their products so they don't
> care. Or perhaps there are ways to do some defensive blocking without
> hooking kernel calls. Without more data I think it's hard to say if the
> tradeoff between blocking kernel hooking and some of the blocking some
> of the defensive capabilities it enables is worthwhile. BTW, even
> Symantec has an anti-virus product for 64-bit Windows, just not one that
> has HIP.
>
> I don't take it seriously when people assert that there will always be
> another way to bypass PatchGuard, and any real vendor who does it is
> nuts. Microsoft will find a way to block the technique and then they're
> SOL. In any event, this is just about some security functions on 64-bit
> Windows systems, a relatively small part of the market for years to
> come.
>
> Larry Seltzer
> eWEEK.com Security Center Editor
> http://security.eweek.com/
> http://blog.eweek.com/blogs/larry%5Fseltzer/
> Contributing Editor, PC Magazine
> larryseltzer () ziffdavis com
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.