Microsoft Working With Security Vendors

mikesd81 writes "The BBC is reporting on Microsoft's U-Turn. They've now given security vendors some of the information they want to make their products work with Microsoft's new operating system, Vista." From the article: "Earlier this month, security firm McAfee took out a full-page advert in the Financial Times to alert readers to its worries about the way Microsoft was handling the release of its new operating system. 'Microsoft seems to envision a world in which one giant company not only controls the systems that drive most computers around the world but also the security that protects those computers from viruses and other online threats,' the advert said. "

Re:

[MollyB]

Don't they just do what they want unless they "lose" a legal case, then continue whilst appealing until the suit is moot? Or until a settlement is reached (money changes hands and minds)?

MS is such a juggernaut that it flows around or over obstacles, like an avalanche, tsunami, mud (fud?) slide, etc. If McAfee and company survive, they'll be the exception that makes the rule, imho.

Re:

[Rob T Firefly]

I like MS-bashing as much as the next basher, but this is just a cheap shot. When you get down to it, isn't virtually every company in every trade envisioning a world in which they eventually snuff out all the competition and grow to become the only source for whatever it is they do? Even if you know it won't logically happen, it's still the general goal that's paraphrased into the "mission statement" posters in every corporate breakroom.

Re:

[Trelane]

When you get down to it, isn't virtually every company in every trade envisioning a world in which they eventually snuff out all the competition and grow to become the only source for whatever it is they do?

Sure, but there's a critical difference: very, very few can.

Re:

[Rob T Firefly]

Yes, but McAfee could do a lot better to make their point. (I was referring to them mainly, I probably should have made a new post rather than replying to a thread. Sorry!) The full-page ad and everything comes off as petulant, pinting at MS and saying "they want to own everything and that's bad!" Joe Public isn't going to come off any wiser as to why the way they're going about it is bad. Most people, however dense, tend to take comments about any company or person made by their competition with a gra

Re:

[From A Far Away Land]

I'd get a kick out of Vista using its DRM badness to block McAfee and Symantec from running. Something along the lines of:
"This software is unathenticated, and could be malware.
Would you like to:
Block / Permit once / Report this problem to Microsoft and Continue"

Re:World Domination - the popup

[fahrbot-bot]

So MS was considering leveraging Vista for world domination...

Oh ya! Every time an overlord wants to do something there'll be this popup requesting their admin credentials.

Never Happy

[corroncho]

These security vendors been taking advantage of the flaws in the windows OS's for years and making tons of money doing it. Great someone needed to do it since MS couldn't or wouldn't. However MS is now trying to hardent heir OS and remove the security holes that should have been removed years ago and what happens? People complain. And by people I mean Symantec, McAfee, etc (not the end user mind you).

I for one am pleased to see MS trying to lock down their systems and these other vendors just need to

Re:

[Silver Sloth]

Well... er... yes.... but....

The otherside of the arguement is that the proposed Vista lockout would leave M$ as the only suppliers of anti malware (Ok, so Symantic don't seem to agree, but I'm stating McAfee's aguement, not mine) and we are all aware of the dangers of a monoculture, especially one run by Seatle's finest.

What I want, if at all posible, is the choice to run which anti malware systems I choose.

Re:

[Amouth]

What gets me is MS took a page for Apple's book and it set them on fire..

Re:

[Silver Sloth]

Ooops

in parent post s/Symantec/Sophos/

Re:

[mikesd81]

What I want, if at all posible, is the choice to run which anti malware systems I choose.

Not only to chose which one you want, but it should be easy to install the one you want easily as well.

Why does everyone but McAfee/Symantec manage fine?

[L0neW0lf]

"The otherside of the arguement is that the proposed Vista lockout would leave M$ as the only suppliers of anti malware (Ok, so Symantic don't seem to agree, but I'm stating McAfee's aguement, not mine) and we are all aware of the dangers of a monoculture, especially one run by Seatle's finest.

What I want, if at all posible, is the choice to run which anti malware systems I choose."

If this is such a huge problem, as Symantec and McAfee suggest, then why do Avast!, eTrust, and TrendMicro, among others, al

Re:Why does everyone but McAfee/Symantec manage fi

[3fiddy]

If this is such a huge problem, as Symantec and McAfee suggest, then why do Avast!, eTrust, and TrendMicro, among others, already have products that work just fine in Vista (I'm running RC2 and have tested them) without needing access to PatchGuard or the kernel? Maybe because Trend (I can't speak for the others) doesn't even catch viruses in XP/2000? So if by 'work' you mean they 'coexist with the OS', then yes. They 'work'. Not that I'm touting McAfee or Symantec, but they are definitely a step up from

Re:

[lbmouse]

Do you honestly believe that if MS locks down Vista it will solve any security issue? If anything it makes the OS more vulnerable because now the only people that are aware of the security holes are either working in Redmond and/or working to find ways to take advantage of the holes (aka, bad guys). IMHO it's a good thing to have as many (good guy) eyes as possible reviewing an OS's framework.

Mods on crack

[jb.hl.com]

-1 Troll?! This is 100% the truth.

Re:

[baadger]

Vista may be trying to harden their OS with Vista, but there screwing up alot of the decisions again.

People are still essentially setup as pseudo-admins out of the box (i'm sure UAC won't solve the problem) and DEP is disabled on all programs by default (most of the recent critical XP flaws are prevented by DEP being enabled for all programs and services).

I'm glad they have improved useability as a limited user though. Switching to a limited user account, disabling UAC, and enabling DEP will be the first th

Oblig

[mattwarden]

"The wolf shall dwell with the lamb, and the the leopard shall lie down with the kid; and the calf and the young lion and the fatling together; and a little child shall lead them." Isaiah 11:6-7

Re:

[gstoddart]

"The wolf shall dwell with the lamb, and the the leopard shall lie down with the kid; and the calf and the young lion and the fatling together; and a little child shall lead them." Isaiah 11:6-7

Hmmm .... I don't know what Slashdot you've been reading, but on the one I read, the obligatory is more of the form: in Soviet Russia, security firms give information to you.

Biblical quotes ... not so much. :-P

Cheers

Re:

[Anonymous Coward]

In Soviet Russia, bibles quote you!

"And the Lord sayeth unto the followers of Portman,
'Lest ye poureth steaming gryts into thyne trousers,
Ye shall be stripped and turned to stone...'"

Related

[caluml]

An old Russian saying: The wolf will hire himself out very cheaply as a shepherd.
 
My point? None.

Re:

[Jugalator]

I first thought it was something related to the Book of Mozilla. Shows how interested I am in those stories. :-p

Oh No!

[balsy2001]

MS is destroying my revenue stream by making a more secure OS!

Re:

[UnknowingFool]

MS is destroying my revenue stream by making a more secure OS!

There's two sides to this issue. From the security vendor's standpoint, MS is just making it harder for them to work with Vista. While there are locking down the OS somewhat, MS will be releasing competing security products. This has shades of the antitrust behavior which got them into trouble. On the other hand, Trend Micro has been able to work through the changes in Vista.

Re:

[drsmithy]

There's two sides to this issue. From the security vendor's standpoint, MS is just making it harder for them to work with Vista.

Indeed. Now, instead of just trundling around wantonly in kernel space with their buggy software, they'd have to actually stick to known and documented APIs. The horror !

While there are locking down the OS somewhat, MS will be releasing competing security products.

Which use the same APIs available to _all_ "security software" vendors.

Despite Slashdot folklore, the whole "se

Re:

[molarmass192]

Despite Slashdot folklore, the whole "secret APIs make Microsoft software work better with Windows" has never been more than an urban legend.

As a former Windows programmer, I can assure you that there were many undocumented, aka. secret, aka. internal, API calls which provided functionality not available in any of the documented Windows APIs. I'm speaking from a W2K perspective, which I assume also carried forward to XP. This may have changed in Vista, but I'd be very surprised if there were no undocumen

Re:

[drsmithy]

As a former Windows programmer, I can assure you that there were many undocumented, aka. secret, aka. internal, API calls which provided functionality not available in any of the documented Windows APIs.

I am not disagreeing there are undocumented APIs. All platforms have "undocumented APIs" in one form or another, and always will. I am arguing that they were never used in a "nefarious" fashion by anyone at Microsoft.

Re:

[will_die]

I guess it depends on what your definition of "nefarious" is. If nefarious does not means that certian APIs exsist for use by other microsoft products(non-OS), or very close outside companies, or allow thier products to operate faster then using the documented APIs then you are right. Most devs would not call it nefarious if it was something microsoft was not using internally, the documentation was wrong comparied to implementation or was clearing marked as for testing and somehow made it through to the f

Re:

[kabz]

Norton, Macafee, Symantec and the like need to build a better rootkit.

Maybe they should give Sony a call. ;-)

Re:

[Gunfighter]

There's actually a lot of truth to this statement. Success for Microsoft can mean an overall decrease in long term recurring revenue for a variety of service providers (even Microsoft Certified Solution Providers). If Vista is more secure, it means less need for "more secure" alternatives. For those of us who base our living off of maintaining and supporting said alternatives, this is a bad thing.

Personally, I support homogenous networks; so I will see a spike in revenue from any XP->Vista upgrades. In t

Re:

[gutnor]

"Luckily, I don't think Microsoft is releasing a more secure OS."

Security is a *problem*, not a feature that's nice to keep around. What you are asking is a bit like "I sure hope they will never cure cancer because today it makes confortable living for a lot of doctor, scientist, psychologist, charity, widow association, ..."

I hope Vista is more secure and that all the money and work that goes into security software goes into something else a bit more productive. By "more productive" I mean something that i

Re:

[Gunfighter]

Very well, just take the "Luckily" out of that statement and re-read it.

I imagine for most slashdotters, it's not so much a "lucky for us people who support FLOSS/Windows security and can still make money off of it" as it is a "lucky for us people who believe the security of Microsoft products is flawed by design and them releasing yet another buggy, unsecure OS proves correct what many people have been saying for quite some time: if you want hardened systems, stay away from Microsoft products and go with s

Re:

[tokul]

MS is destroying my revenue stream by making a more secure OS!

Nope. MS is destroying revenue stream by changing API and locking all security products except own one.

Re:

[AmberBlackCat]

It looks to me more like "Microsoft is making Windows no longer compatible with my security software at the same time they're making their own software to compete against me".

Lack of clarity

[LaughingCoder]

The article is not very clear as to exactly what the "u-turn" is. First there is this:

The news that the software giant will now allow companies such as McAfee and Symantec access to the kernel of the 64-bit version of Vista has been met with cautious approval.

Is it only the 64 bit version of Vista that was the problem? Further down in the article we have this:

Not all security firms have had issues with Microsoft. Security experts Sophos will release its Vista-compatible product next month.

This make

Re:

[drsmithy]

This makes me wonder what all the complaining is really about.

The complaining is about Symantec and McAfee having to rewrite their software _properly_ and use public APIs rather than just rehashing the same POS every year that hooks into undocumented parts of the Windows kernel at will.

Re:A trickle...

[Rob86TA]

That's funny... Trend Micro had a fully working Anti-virus product during the Beta. They didn't need any special "Kernel Interface Documenation" to make it work. All the information needed was already available, this is about Norton and McAfee whining because THEY couldn't work with MS and wanted special kernel access, not the other way around.

Re:

[Penguinisto]

I think the big stink was w/ folks working the whole rootkit-detection angle (which would require something a bit tighter to the kernel), and not the ordinary everyday virus/worm propagation (which could more easily be caught with something looking for memory footprint signatures or what-have-you).

But then again, F-Secure is big on rootkit detection, and you didn't hear any crying out of them ab't the whole Vista thing. *shrug*

/P

Re:

[gEvil (beta)]

Does Trend Micro's product work on the 64-bit version of Vista? Apparently it's the 64-bit version that only allows signed drivers and has many of the extra security methods in place. That's what Norton and McAfee are complaining about. Their products will work fine on the 32-bit version.

Re:

[Rob86TA]

Yup... both 32 bit and 64 bit versions were released by Trend, see: https://www.trendbeta.com/index.php?get=80 [trendbeta.com]

Re:

[Flopy]

Not only that, but the available information is just enough for any application to run without problems. Giving the Kernel Interface Documentation away will probably make more vulnerabilities available in the future.

Finally, they did something right?

[Penguinisto]

Of course, Symantec and McAfee are likely singing MSFT's praises to high heaven once again... (and their business model is saved)

OTOH, given the closeness of the supposed release date, it tells me that the requisite holes were likely already there to begin with (and that they can likely be exploited, even if MSFT sat tight and never gave the A/V folks the info anyway). That, or they're burning midnight oil to open up said holes (which would mean that oh damn, here it comes...!)

Man - either way, this doe

Re:

[kestasjk]

Microsoft developed software called PatchGuard to keep 3rd party stuff out of the kernel, this is what McAffee and Symantec are complaining about.

It doesn't seem like the sort of software that would break things when taken away, it seems like the sort of software which you could toggle (though that would defeat the object of course).

This is all so dumb

[Moby Cock]

While I revile MS for their draconian business practices, Mcafee is not much better. The problemm with security is that everyone have (roughly) the same system. There is no variation in the computers on the 'net. A windows box with Mcafee (or Norton, to me they are all the same) is as vulnerable as anyother equivalently equpipped box. So a virus will spread quickly. Imagine every person ob earth had an equivalent immune system. Every mutated bug would render the entire population out for the count.
For Mcafee to raise the alarm that MS was playing fast and loose with security by freezing out security software is just crap. Its FUD just like the crap MS spouts. Although it seems to have worked in this case.

Re:

[Gospodin]

Hey, I've got a solution to this: just have the McAfee, etc. client turn off random virus definitions from time to time. Then everyone would have a different "immune system"!

Sheesh.

Financial Times?

[caylem]

It's nice to know that there's an effort being made to make the general pubic more aware of the Microsoft and its quest for world domination, but seriously, the Financial Times? While I'm sure many /.'s read it, consider the amount of people who use McAfee, use Windows, and don't read that particular paper.. or watch/read the BBC. Perhaps a full-page ad in the tabloid magazines/newspapers would reach a larger audience.

Re:

[The Real Andrew]

But the people who read the FT are the ones who will be shelling out the big bucks for Vista Super Corporate Bells and Whistles edition, not the tabloid readers who are going to get it off bit torrent.

Re:

[caylem]

assuming they know how to use bt. out of my non-pc savvy famly and friends, a total of 2 know what bt is, but dont know how to use it. and yes, they have all bought legit copies of all their windows versions. and theyll prolly buy vista too.

Why MS never can do it right?

[atchijov]

So MS try to do "right-thing" by hardening Vista. Due to they arrogance they ignored all 3-rd party security companies while doing it. Now they figure out that they can not ignore them after all. So instead of having properly designed 3-rd party integration APIs they will try to put together something quick -- and most likely undo at least some of the "right-things" in the process.

And the problem with Microsoft Securing

[Frumious Wombat]

their OS is....?

From the Original post: 'Microsoft seems to envision ... but also the security that protects those computers from viruses and other online threats,'

Not to be picky, but on my Solaris boxes, I don't call up McAffee every time a security vulnerability is released, nor do I call them to protect my AIX systems from Crackers either. I expect that Sun and IBM, respectively, will secure their OS, issue patches, and provide the appropriate tools to manage security. We've been letting Microsoft get away with fobbing that duty off on third-parties for far too long. Pity if that impacts Symantec's business model, but Microsoft should have years ago either (a) fixed their OS or (b) taken the tcp/ip stack out and stuck a big, neon-orange, sticker on every box and install disk which reads, "This Products Is Terminally Insecure and If You Let It Connect to a Network, 12-Year Old Script Kiddies Will OWN Your Valuable Corporate DATA! Within 20 Minutes Or Less!"

It's hard in a case like this to know which one of them (Microsoft or Symantec) to have less sympathy for.

Re:

[Darkon]

Not to be picky, but on my Solaris boxes, I don't call up McAffee every time a security vulnerability is released, nor do I call them to protect my AIX systems from Crackers either. I expect that Sun and IBM, respectively, will secure their OS, issue patches, and provide the appropriate tools to manage security.

As usual it's that old bugbear antitrust rearing its ugly head again. McAffee et al claim that MS is going to produce its own anti-malware tools and lock them out of the market, kind of like if Sun

Re:

[badfish99]

The sendmail analogy is surely wrong. Nobody buys add-ons from McAffee or anyone else in order to make Solaris secure. It is secure out of the box, as supplied by Sun.

In the ideal world, if Windows were secure, there would be loads of competition for email software on Windows, but anti-virus software would just not exist at all.

Re:

[drsmithy]

In the ideal world, if Windows were secure, there would be loads of competition for email software on Windows, but anti-virus software would just not exist at all.

Rubbish. AV software and OS security are only vaguely related.

Only the inane ramblings of technically incompetent hacks has caused the clueless to think that "no viruses" and "secure" are synonyms. Anyone remotely knowledgable understands that AV software and OS security are solutions to almost completely different problems that go hand in ha

Antivirus and Security

[TheRecklessWanderer]

It seems to me that lately the large players in the AV world (Norton, McAfee) have been trying so hard to differentiate their product from standard Microsoft offerings (i.e. add value to their products) that the cost/benefit of having one of the major player products is not good. We had a 20 or so copies of NAV 2005 (or maybe it was 2004) and we ordered them through Ingram Micro and we got the licences. So we installed the licences, and then a couple of weeks later they would need to be activated (again) but wouldn't accept the #. So after a month or so of this we scrapped the norton product, went to AVG and have had no problems since. So the moral of the story is that the large players are trying so hard to show that you HAVE TO have their product, and to make sure that you pay for it, that it is not a usable product, IMHO.

MS's genius PR move.

[Quasar1999]

nah... that's not the real story...

The real story is that Microsoft claimed to have made their Kernel completely secure... nobody can touch anything inside... so that means anything that goes wrong with it will be totally their fault. After mulling over it for a while, they then realised that they'd have nobody to blame when some malicious code got up in there and did some hefty damage. So in a genius PR move, they decided to expose an API for security vendors to be able to hook into the kernel. Now when

Mark my words...

[justinbach]

Microsoft's security is gonna do a total 360!

this is dumb

[Anonymous Coward]

So Microsoft comes out with a system that isn't riddled with (the standard) security holes, and the third-party companies whose bottom line depends on MS incompetence freak out, because they're no longer needed.

Microsoft can't win for losing.

I look forward to that...

[briancnorton]

I really do look forward to a day when a software vendor takes responsibility for the proper functioning of their software. IMHO, Mcaffee, symantec, etc shouldn't exist. They are able to get by because of Microsoft's sloppiness. I don't blame MS one bit for trying to correct years of negligence. (I do blame them for those years of negligence) Making Microsoft Windows work shouldn't have to be a competitive industry, Microsoft SHOULD monopolize that.

Re:

[mgblst]

McAffee came about in the days of Msdos, when viruses would replace the boot sector, or attach themselves to the end of EXE and COM files. I am not sure that you can blame Microsoft for that one - there were before the days of encrypion and kernel protection, when any program had full access to memory, so there is not way you could stop it, without building a more secure os. And you can't start of building a more secure OS. (You need money, and ideas!)

Re:

[Bobby Mahoney]

I agree... And on a slight tangent, At what point does an individual component of a given system become generally accepted as a standard offering of said system? I.E., an automatic transmission in a vehicle may of at one time have been considered an option but is now fairly standard on most vehicles. I'm sure there's a better automotive analogy, but you get the idea. At some point, antivirus (as viri are a fact of life) is going to become as standard as the gui. Note that at one point in the not-to-dista

Good news, but not great news...

[jmagar.com]

I'm glad that Microsoft is being more open, and co-operating more. But I believe the real security improvements are from Microsoft, and the McAffees and Nortons of the world are becoming less relevant. I installed the latest McAfee "security center" on my mother in-law's PC and the system performance was cut damn near in half. The experience has cemented in my mind that an up to date version of Windows with the latest security patches is the right way to go, and that these third party tools are bloatware

use OneCare or my mother in-law will get upset

[rs232]

I'm glad that Microsoft is being more open, and co-operating more. But I believe the real security improvements are from Microsoft, and the McAffees and Nortons of the world are becoming less relevant"

They are becoming less relevent but not for the reasons you suggest. With Vista arriving with OneCare already installed they all will go the same way as Netscape and Wordperfect. Some of the new innovative security features in Vista are Patchlock [wikipedia.org] that works by preventing third party software modifying the

Re:

[ejdmoo]

Vista doesn't come with OneCare (anti-virus)

It does come with Windows Defender (anti-spyware)

From what I gather, they wanted to include both, but they could only include anti-spyware because there wasn't an anti-trust problem there.

MS should take security totally in house ..

[rs232]

I would have no objection to to MS totally taking security in house. Locking down the kernel and only allowing API access would eliminate most of the defects in Vistos. The only difference is the end use pays MS a yearly subscription instead of McAfee $274.5 [computerwire.com], Symantec $4.14 billion [softpedia.com]) and the rest. Of course charging after the fact for defects in the product is a very odd way of doing business. Myself don't plan to pay either of them a cent for 'security'.

consequences to productivity

[Phantom of the Opera]

I have used computers bogged down with anti-virus software. My work involved a huge amount of disc access. Symantec not only slowed work down, it caused such disc grinding that scrambled discs were not uncommon where I worked. I solved that problem by disabling and banishing the anti-virus software. Yes, everything was behind a firewall and yes, if an computer was infected on the intranet, my box would have been in danger. The marginal protection of the anti-virus was not worth the cost.

Microsoft's security

Re:

[rs232]

"The marginal protection of the anti-virus was not worth the cost .. What are the chances this will be on the 'safe side' and slow things down enough to where only the highest power hardware allows for productivity."

On a clients machine installing AV software slowed the machine down tremendously. I removed it, set up a standard user, set wordviewer as the default. Installed Firefox and OpenOffice. Advised the client that using IExplorer, Outlook and msWord in combination was not a good idea.

It sounds

AV further weakens TCO argument

[businessnerd]

I can understand why Microsoft wants to lock out the third party vendors. These vendors have convinced everyone that Windows is so insecure by default that whenever you buy a copy of windows, or a computer with windows on it, you must automatically buy their product as well as sign up for their subscription services. AV and firewalls are expensive (for a home user, tack on an extra $70 upon purchase on your new computer and another $30 or so every year after) and when Microsoft tries to make its Total Cos

There seems to be a massive misconception here

[Myria]

Reading the comments here, I think that most people aren't aware of what PatchGuard is.

PatchGuard, quite simply, is "security through obscurity". Basically, while the kernel is running, a hidden background thread continuously hashes the code sections of the kernel and validates that nothing has changed. If something changes, the system bugchecks (blue screens). PatchGuard's security comes from it being obfuscated.

PatchGuard doesn't offer true security. It has nothing to do with escalation of privilege - if you're able to modify the kernel, it's already too late. PatchGuard was intended to stop commercial products from patching the kernel because frequently they do so improperly, and end up causing instability and local privilege elevation exploits. If a company got around PatchGuard, their product would only work until the next second Tuesday. However, rootkit authors may not care about that "time limit".

Certainly PatchGuard helps slightly with DRM. However its more important use is preventing companies from doing improper kernel hacks. With Microsoft bowing to these companies, PatchGuard's only use is now DRM.

By the way, the only reason Microsoft is doing this is because of Europe's antitrust complaints. No full page ad will convince Microsoft of anything.

Melissa

Re:

[Shados]

Yeah, its a shame Microsoft bowed down with this. Less intrusive anti-viruses worked fine, its only junks like Norton and McC that didn't, and forcing them to rewrite their product so that it doesn't bug down your computer more than running Oblivion in the background would have been a definate plus. Microsoft's monopoly has to be controled, but, in my opinion, not at "all costs". The customer lost on this one, in my opinion. Of course, it is easy to avoid these products for us...but for the rest, not really

Re:There seems to be a massive misconception here

[drsmithy]

PatchGuard, quite simply, is "security through obscurity".

No, it's not. Saying PatchGuard is "security through obscurity" is like saying passwords, etc are "security through obscurity".

Basically, while the kernel is running, a hidden background thread continuously hashes the code sections of the kernel and validates that nothing has changed. If something changes, the system bugchecks (blue screens). PatchGuard's security comes from it being obfuscated.

No, PatchGuard's security comes from not allowing unknown code to execute in kernel space. Ie: it stops things like rootkits from functioning by crashing the OS when it detects unauthorised activity.

PatchGuard doesn't offer true security.

No one measure offers "true security". PatchGuard is just another part of a layered security model.

It has nothing to do with escalation of privilege - if you're able to modify the kernel, it's already too late.

No, only if you *actually can* modify the kernel, is it already too late [for the kinds of attacks PatchGuard is protecting against]. Which is why the system crash-dumps - because there's not much else you can do in the face of an attacker who has already reached that level of privilege.

PatchGuard was intended to stop commercial products from patching the kernel because frequently they do so improperly, and end up causing instability and local privilege elevation exploits. If a company got around PatchGuard, their product would only work until the next second Tuesday. However, rootkit authors may not care about that "time limit".

PatchGuard is there to stop malicious and unknown interceptions of low-level system calls. In other words, the kind of stuff rootkits (in addition to badly written, but legitimate applications) do.

Re:

[mdozturk]

... by crashing the OS when it detects unauthorised activity

This seems like a great way someone to cause my computer to crash. When will the patch come out for this denial of service attack?

Re:

[drsmithy]

This seems like a great way someone to cause my computer to crash.

Considering the alternative, it's a reasonable tradeoff.

It's no different than any other OS that crashes instead of letting rogue code go tromping all over the kernel.

When will the patch come out for this denial of service attack?

Probably as soon as someone can come up with a better way of defending against the more important kernel attack.

Re:

[Beryllium Sphere(tm)]

OK, threat model is an attack that modifies the kernel. Attacker has root privileges.

What keeps Patchguard running in the presence of intentionally bad code with full run of the system? What stops code that can and does modify the kernel from turning off or NOPing Patchguard?

If the answer is something other than "by obfuscation" it would be educational to hear it.

Re:

[drsmithy]

What keeps Patchguard running in the presence of intentionally bad code with full run of the system? What stops code that can and does modify the kernel from turning off or NOPing Patchguard?

It halts the entire machine when something tries to modify it, thus stopping them from doing that.

If the answer is something other than "by obfuscation" it would be educational to hear it.

If you have better alternatives, I'm sure Microsoft's software engineers would be interested to hear about them.

Mysterious advert in the FT.

[RemovableBait]

Has anybody here actually seen this advert for themselves? I've tried googling around for a picture of it or a link to it, but without any luck. Anyone have a link?

I'm still amazed in some respects that McAfee got away with it. IANAL, but it sounded almost libellous to me.

Re:

[alienfluid]

http://farhanahmed.net/blog/?p=300 [farhanahmed.net]

Remember The MS MO

[mpapet]

Even if MS intentionally locked up API, naysayers who trumpet a lesser known antivirus/spyware vendor need to understand that they are of little interest to MS.

They go after the #1 money/volume producer in the category. This is the usual "big fish" strategy. Along the way, a bunch of smaller companies in the same category get eaten alive by the onslaught of lock-in and big-ticket marketing budgets. HP and Apple do the same thing.

Symantec has the most to lose in "security". Just as AdobeMedia has the mos

I'm not sure I understand the commotion here...

[Toreo asesino]

Correct me if I'm wrong, but isn't patching the kernel an administrator-only function anyway?

If this is so, isn't the principal more or less achievable with Linux by installing a modified kernel under root access?

Either way, I wouldn't want anything tinkering with my kernel operation, so I see these API's as a negative thing - I just hope to God Windows will display some absolutely mammoth dialogue boxes should (heaven forbid) anything try and modify my kernel!

U-Turn?

[Ant P.]

Makes it sound like MS suddenly pulled its head out of its ass, which is wrong. The only U-turn they did here was because they went into a dead end street.

n/a

[me.at.work]

As this does not really concern me, I'll just conclude that I am yet to run any sort of av-software on my linux installs. Thanks, I'll be gone now.

Isn't this...

[griffon666]

...McAfee screaming: "I want some piece of the cake, too?"

Microsoft has made supplemental software (defrag, disk compression, zips, etc.) obsolete in the past by including it into the system. They will do it again.