RE: [funsec] Security Vendor Bypasses Microsoft's Vista PatchGuard

[Larry Seltzer]

>>How come sophos isnt concerned about not having access to the kernel? 

The kernel-hooking issues are about host intrusion prevention, not AV or
AS specifically. You can use filter drivers to monitor and block
anything going into and out of the system, on files or the network or
whatever. But by hooking kernel calls you can detect and block attacks
from programs that have already gotten on to the system and executed,
even at a privileged level. 

Perhaps Sophos has no such capabilities in their products so they don't
care. Or perhaps there are ways to do some defensive blocking without
hooking kernel calls. Without more data I think it's hard to say if the
tradeoff between blocking kernel hooking and some of the blocking some
of the defensive capabilities it enables is worthwhile. BTW, even
Symantec has an anti-virus product for 64-bit Windows, just not one that
has HIP.

I don't take it seriously when people assert that there will always be
another way to bypass PatchGuard, and any real vendor who does it is
nuts. Microsoft will find a way to block the technique and then they're
SOL. In any event, this is just about some security functions on 64-bit
Windows systems, a relatively small part of the market for years to
come.

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.eweek.com/blogs/larry%5Fseltzer/
Contributing Editor, PC Magazine
larryseltzer at ziffdavis.com