funsec mailing list archives
Re: Security Vendor Bypasses Microsoft's Vista PatchGuard
From: "John LaCour" <johnlacour () gmail com>
Date: Wed, 25 Oct 2006 11:33:12 -0700
Actually the kernel hooking issues are about AV and AS as well. When I was with an AV/AS vendor, an extraordinate amount of effort was spent on protecting the software itself against attacks such as hosts file writing, registry key removing, binary tampering, file system permission tampering, keyboard stuffers, mouse movers, etc. etc. The reason kernel hooking is an issue is that in order for an AV or AS to adequately protect itself from being disabled by malware, it has to hook the kernel to do so. As a side note, most of these attacks would fail were it not for user accounts running with administrator privs in the typical home setup. -John On 10/25/06, Larry Seltzer <Larry () larryseltzer com> wrote:
>>How come sophos isnt concerned about not having access to the kernel? The kernel-hooking issues are about host intrusion prevention, not AV or AS specifically. You can use filter drivers to monitor and block anything going into and out of the system, on files or the network or whatever. But by hooking kernel calls you can detect and block attacks from programs that have already gotten on to the system and executed, even at a privileged level. Perhaps Sophos has no such capabilities in their products so they don't care. Or perhaps there are ways to do some defensive blocking without hooking kernel calls. Without more data I think it's hard to say if the tradeoff between blocking kernel hooking and some of the blocking some of the defensive capabilities it enables is worthwhile. BTW, even Symantec has an anti-virus product for 64-bit Windows, just not one that has HIP. I don't take it seriously when people assert that there will always be another way to bypass PatchGuard, and any real vendor who does it is nuts. Microsoft will find a way to block the technique and then they're SOL. In any event, this is just about some security functions on 64-bit Windows systems, a relatively small part of the market for years to come. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.eweek.com/blogs/larry%5Fseltzer/ Contributing Editor, PC Magazine larryseltzer () ziffdavis com _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Security Vendor Bypasses Microsoft's Vista PatchGuard Fergie (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Valdis . Kletnieks (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)
- RE: Security Vendor Bypasses Microsoft's Vista PatchGuard Larry Seltzer (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard John LaCour (Oct 25)
- RE: Security Vendor Bypasses Microsoft's Vista PatchGuard Larry Seltzer (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Drsolly (Oct 25)
- RE: Security Vendor Bypasses Microsoft's Vista PatchGuard Larry Seltzer (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 24)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Blue Boar (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Nick FitzGerald (Oct 25)
- Re: Security Vendor Bypasses Microsoft's Vista PatchGuard Dude VanWinkle (Oct 25)