Patchguard
Security Vendor Bypasses Vista PatchGuard
Security software maker Authentium says that it has created a new version of its flagship product that circumvents the PatchGuard kernel protection technology being added to Microsoft's next-generation Vista operating system.
The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.
Read the article HERE.
==============================================
Will PatchGuard be Vista's Maginot Line?
Mikhail Penkovsky at Agnitum also points out that the API model itself opens up the kernel to attack anyway. Why is it so risky to use KPP [PatchGuard] to provide kernel security for computers running Vista x64 rather than a third-party security solution?
Here’s an analogy. Today, every house has a different lock on its front door; in the same way, you can use any security product you want to protect your computer. Now imagine if every house in your city were required to use the exact same lock on its front door. As soon as a burglar figures out how to crack that lock, he can freely enter and steal from any house. This is what 64-bit Windows security will look like with PatchGuard.
Read the article HERE.
==============================================
Kernel Protection vs. Kernel Patch Protection (Patch Guard)
But even that all being said, I still think that PG is actually a very good idea. PG should not be thought as of a direct security feature. PG's main task is to keep legal programs from acting like popular rootkits. Keeping malware away is not it's main task. However, by ensuring that legal applications do not introduce rootkit-like tricks, PG makes it easier and more effective to create robust malware detection tools.
I spent a few years developing various rootkit detection tools and one of the biggest problems I came across was how to distinguish between a hooking introduced by a real malware and... a hooking introduced by some A/V products like personal firewalls and Host IDS/IPS programs. Many of the well known A/V products do use exactly the same hooking techniques as some popular malware, like rootkits! This is not good, not only because it may have potential impact on system stability, but, and this is the most important thing IMO, it confuses malware detection tools.
Read the article HERE.
Security software maker Authentium says that it has created a new version of its flagship product that circumvents the PatchGuard kernel protection technology being added to Microsoft's next-generation Vista operating system.
The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.
Read the article HERE.
==============================================
Will PatchGuard be Vista's Maginot Line?
Mikhail Penkovsky at Agnitum also points out that the API model itself opens up the kernel to attack anyway. Why is it so risky to use KPP [PatchGuard] to provide kernel security for computers running Vista x64 rather than a third-party security solution?
Here’s an analogy. Today, every house has a different lock on its front door; in the same way, you can use any security product you want to protect your computer. Now imagine if every house in your city were required to use the exact same lock on its front door. As soon as a burglar figures out how to crack that lock, he can freely enter and steal from any house. This is what 64-bit Windows security will look like with PatchGuard.
Read the article HERE.
==============================================
Kernel Protection vs. Kernel Patch Protection (Patch Guard)
But even that all being said, I still think that PG is actually a very good idea. PG should not be thought as of a direct security feature. PG's main task is to keep legal programs from acting like popular rootkits. Keeping malware away is not it's main task. However, by ensuring that legal applications do not introduce rootkit-like tricks, PG makes it easier and more effective to create robust malware detection tools.
I spent a few years developing various rootkit detection tools and one of the biggest problems I came across was how to distinguish between a hooking introduced by a real malware and... a hooking introduced by some A/V products like personal firewalls and Host IDS/IPS programs. Many of the well known A/V products do use exactly the same hooking techniques as some popular malware, like rootkits! This is not good, not only because it may have potential impact on system stability, but, and this is the most important thing IMO, it confuses malware detection tools.
Read the article HERE.
posted by vanish at 5:50 PM
0 Comments:
Post a Comment
<< Home