Re: How will PatchGuard change kernel programming?
- From: "David J. Craig" <Dave@xxxxxxxxxxxxx>
- Date: Sat, 14 Oct 2006 10:46:41 -0700
I just read at:
http://rss.slashdot.org/~r/slashdot/eqWf/~3/37127625/article.pl that
Microsoft has decided to allow PatchGuard to be bypassed. Also, the
security center can be turned off by other security products so that they
can choose the method of interfacing with the user. I think in corporate
environments those popups should never be displayed if the domain admin so
chooses, but a notification sent to IT so they can correct the problem. It
permits IT to see developing problems that can be fixed for everyone at once
and not have time wasted by hundreds or thousands of employees.
I see why the system needs to be locked down. Recent reviews of OneCare
indicate it is not that good at detecting viruses nor is their speed of
updating close to some of the other major players. Most of the major
antivirus companies update every few minutes or hours depending upon what is
seen on the internet.
BTW, the last I heard there are techniques to permit PatchGuard to be
bypassed. Until all computers have been upgraded to the newest processors
with hardware VT, I don't think many attacks can be defeated. Even then, it
will probably not be a perfect solution.
"Don Burn" <burn@xxxxxxxxxxxxxxxx> wrote in message
news:ecpkVB57GHA.1496@xxxxxxxxxxxxxxxxxxxxxxx
After looking at the article, I thought is was one of the stupider things
that has been written on the subject. Microsoft has use the "Windows
Filtering Platform" term to mean the various filter driver technologies in
the system, such as file system filters, TDI filters, documented hooks for
process and registry events. This is not anything new and it sure isn't
secret.
Now you can argue that Microsoft needs to add to the environment to make
some checking easier, and I will not argue. But the basics are there and
can be used to protect a system. There are situations where the system
(or an application will crash), but the basic security is pretty good, and
with the crash the culprit can typically be determined.
It is ironic, that McAfee and Synantec leading the claim to need hooking
both open the systems to attack since they do not do that good a job on
system call validation. I notice that Anton did not bring up his old
argument of Kaspersky AV, probably because Kaspersky has publicly come out
in favoe of PatchGuard.
As far as the claim of undocumented API's as bad, sorry until the open
source movement almost every OS in the world had them. In a previous job,
I spent a ton of time dealing with contracts to get access to undocumented
API's and file formats from companies like IBM and HP. Note: all of these
contracts had a clause that said they would sue your ass off if you either
disclosed the material, or used any API's not in a specific list even
though the include files you got with the contract has additional API's.
It is obvious the OP is one of those who believes Microsoft is evil no
matter what. In the past it was "Microsoft is evil since it doesn't
secure the OS from spyware", now it is evil since "Microsoft has secured
the OS making it harder for me to hack"
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
"David J. Craig" <Dave@xxxxxxxxxxxxx> wrote in message
news:eyIVPe07GHA.4552@xxxxxxxxxxxxxxxxxxxxxxx
Look at this: http://WindowsSecrets.com/comp/061012
PatchGuard is a very good idea, but when Microsoft keeps the
methodologies secret to enable protection of a system, it does make it
difficult for anyone to provide good security products. Just program
execution is very difficult to protect with the documented interfaces.
Yes, you can see all file opens with a minifilter, but I can think of
ways to load many DLLs into a single process using documented interfaces
and have them together produce undesirable results.
If someone can get a kernel mode driver loaded on a system, I don't think
it is possible to protect the system. Another issue coming up is the new
hardware VM support that permits someone to wrap an executing OS within a
box so that it has no control over the hardware anymore.
"Don Burn" <burn@xxxxxxxxxxxxxxxx> wrote in message
news:uQuguay7GHA.4568@xxxxxxxxxxxxxxxxxxxxxxx
It is a good thing, since it forces people to develop properly and not
use kludgy hooking, which exposes the system to threats. For any decent
developer it will not impact them at all.
--
Don Burn (MVP, Windows DDK)
Windows 2k/XP/2k3 Filesystem and Driver Consulting
http://www.windrvr.com
Remove StopSpam from the email to reply
"smerf" <smerf@xxxxxxxxxx> wrote in message
news:NiUXg.10022$nn6.4289@xxxxxxxxxxxxxxxxxxxxxxxxx
How will Vista's PatchGurad change the ability of coders to extend the
OS?
.
- Follow-Ups:
- Re: How will PatchGuard change kernel programming?
- From: anton bassov
- Re: How will PatchGuard change kernel programming?
- From: Don Burn
- Re: How will PatchGuard change kernel programming?
- References:
- How will PatchGuard change kernel programming?
- From: smerf
- Re: How will PatchGuard change kernel programming?
- From: Don Burn
- Re: How will PatchGuard change kernel programming?
- From: David J. Craig
- Re: How will PatchGuard change kernel programming?
- From: Don Burn
- How will PatchGuard change kernel programming?
- Prev by Date: Re: How will PatchGuard change kernel programming?
- Next by Date: Re: RelationProcessorPackage
- Previous by thread: Re: How will PatchGuard change kernel programming?
- Next by thread: Re: How will PatchGuard change kernel programming?
- Index(es):
Relevant Pages
|
