03:07 PM

Sophos Takes Microsoft's Side In Vista PatchGuard Spat

While competitors Symantec and McAfee take Microsoft to task for locking down the 64-bit Vista kernel, Sophos criticizes those competitors for shortsightedness.

Unlike rivals Symantec and McAfee, U.K.-based Sophos won't criticize Microsoft for locking down the kernel of the 64-bit version of Windows Vista. Instead, a company researcher on Monday took the competitors to task for their lack of foresight.

"With the amount of time and effort [spent] adjudicating this publicly, they could have made more progress if they had worked with Microsoft," said Ron O'Brien, a Sophos senior security analyst.

The company's chief technology officer, Richard Jacobs, was even more blunt. "Symantec and McAfee may be struggling with HIPS [host intrusion prevention system] because they haven't coded their solutions with 64-bit Vista in mind," said Jacobs in a statement Monday. "We've taken a different approach to HIPS, by focusing more on catching bad behavior by analyzing code before it executes."

The rancorous exchange amongst Microsoft, Symantec, and McAfee revolves around the former's decision to wall off the kernel in 64-bit Vista. Dubbed "PatchGuard," the technology is designed to stop malicious code such as stealthy rootkits from making changes at the kernel level. Symantec and McAfee, however, went public with objections to PatchGuard, charging that by blocking "kernel hooking" -- intercepting Windows' system calls and modifying the kernel dispatch table -- Microsoft was making it impossible for them to implement advanced security techniques, notably HIPS.

Sophos, said O'Brien, has been able to implement its version of HIPS without kernel hooking. "The method we use does not require access to the kernel. We call it 'genotyping.'" By O'Brien's definition, genotyping scans the file before it executes, looks at the code inside the file to see if it has "potential malicious intent," then blocks the file from executing if a "preponderance of evidence" suggests the file is malicious.

While Sophos dubs that technique and technology a host-based intrusion prevention system, Symantec and McAfee might disagree. Those companies' current products -- which access the 32-bit kernel in Windows XP and will in Vista -- monitor system calls to the kernel as well as changes to the kernel's dispatch table to determine if a file may be malicious. To offer the same kind of protection, Symantec and McAfee have argued, they need access to the inner workings of the 64-bit Vista kernel as well.

"We do have a different opinion about what HIPS means," O'Brien acknowledged.

Still, Sophos is convinced that additional security can be provided to 64-bit Vista without accessing the kernel. After stepping up its efforts over the past several weeks, Sophos has been able to genotype an increasingly large number of viruses and other malware. "We've improved on our ability to identify both known and unknown threats," said O'Brien, who characterized the response from customers as "good."

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Listen Now InformationWeek Live for the Week of October 23, 2016
Join us for a roundup of the top stories on for the week of October 23, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll