Sophos Takes Microsoft's Side In Vista PatchGuard Spat
While competitors Symantec and McAfee take Microsoft to task for locking down the 64-bit Vista kernel, Sophos criticizes those competitors for shortsightedness.
Unlike rivals Symantec and McAfee, U.K.-based Sophos won't criticize Microsoft for locking down the kernel of the 64-bit version of Windows Vista. Instead, a company researcher on Monday took the competitors to task for their lack of foresight.
"With the amount of time and effort [spent] adjudicating this publicly, they could have made more progress if they had worked with Microsoft," said Ron O'Brien, a Sophos senior security analyst.
The company's chief technology officer, Richard Jacobs, was even more blunt. "Symantec and McAfee may be struggling with HIPS [host intrusion prevention system] because they haven't coded their solutions with 64-bit Vista in mind," said Jacobs in a statement Monday. "We've taken a different approach to HIPS, by focusing more on catching bad behavior by analyzing code before it executes."
The rancorous exchange amongst Microsoft, Symantec, and McAfee revolves around the former's decision to wall off the kernel in 64-bit Vista. Dubbed "PatchGuard," the technology is designed to stop malicious code such as stealthy rootkits from making changes at the kernel level. Symantec and McAfee, however, went public with objections to PatchGuard, charging that by blocking "kernel hooking" -- intercepting Windows' system calls and modifying the kernel dispatch table -- Microsoft was making it impossible for them to implement advanced security techniques, notably HIPS.
Sophos, said O'Brien, has been able to implement its version of HIPS without kernel hooking. "The method we use does not require access to the kernel. We call it 'genotyping.'" By O'Brien's definition, genotyping scans the file before it executes, looks at the code inside the file to see if it has "potential malicious intent," then blocks the file from executing if a "preponderance of evidence" suggests the file is malicious.
While Sophos dubs that technique and technology a host-based intrusion prevention system, Symantec and McAfee might disagree. Those companies' current products -- which access the 32-bit kernel in Windows XP and will in Vista -- monitor system calls to the kernel as well as changes to the kernel's dispatch table to determine if a file may be malicious. To offer the same kind of protection, Symantec and McAfee have argued, they need access to the inner workings of the 64-bit Vista kernel as well.
"We do have a different opinion about what HIPS means," O'Brien acknowledged.
Still, Sophos is convinced that additional security can be provided to 64-bit Vista without accessing the kernel. After stepping up its efforts over the past several weeks, Sophos has been able to genotype an increasingly large number of viruses and other malware. "We've improved on our ability to identify both known and unknown threats," said O'Brien, who characterized the response from customers as "good."
5 Top Federal Initiatives For 2015As InformationWeek Government readers were busy firming up their fiscal year 2015 budgets, we asked them to rate more than 30 IT initiatives in terms of importance and current leadership focus. No surprise, among more than 30 options, security is No. 1. After that, things get less predictable.