Re: Security Vendor Bypasses Microsoft's Vista PatchGuard

[Blue Boar <BlueBoar () thievco com>]

Dude VanWinkle wrote:
> Sounds to me like Sophos has a point, even if its made for marketing
> purposes.

Nothing wrong with having multiple approaches.  You won't catch me 
trying to force Sophos to use a kernel-hooking model if they don't want. 
 The question is does anyone have a legitimate need to hook the kernel 
as a protection/cleaning mechanism?

> Patchguard, while not stopping the most wily attackers,
> would stop the rootkits that are available today from being a valid
> payload.

Simply making sufficient changes to the kernel, doesn't matter what 
kind, will break some of the hooking mechanisms.  Before you even add on 
Patchguard.

> Isnt that worth something?

It's not a useless attempt, and I don't think they should necessarily 
get rid of it.  It's also not necessarily mutually exclusive with what 
McAfee and Symantec want.

But Microsoft acting like having KPP has now eliminated all potential 
kernel attack vectors, and the need for other security software to act 
there, is a mistake.  Microsoft has now claimed that their software 
won't get to play there either.  And that's good, it changes the 
situation from Microsoft abusing a monopoly to Microsoft making a stupid 
mistake.

Not that I believe that MS will actually keep their security software 
from playing where the other guys want to, but at least it's a claim we 
can look back on.
http://www.microsoft.com/security/windowsvista/allchin.mspx

                                        BB
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.