Sophos Takes Microsoft's Side In Vista PatchGuard Spat - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:07 PM

Sophos Takes Microsoft's Side In Vista PatchGuard Spat

While competitors Symantec and McAfee take Microsoft to task for locking down the 64-bit Vista kernel, Sophos criticizes those competitors for shortsightedness.

Unlike rivals Symantec and McAfee, U.K.-based Sophos won't criticize Microsoft for locking down the kernel of the 64-bit version of Windows Vista. Instead, a company researcher on Monday took the competitors to task for their lack of foresight.

"With the amount of time and effort [spent] adjudicating this publicly, they could have made more progress if they had worked with Microsoft," said Ron O'Brien, a Sophos senior security analyst.

The company's chief technology officer, Richard Jacobs, was even more blunt. "Symantec and McAfee may be struggling with HIPS [host intrusion prevention system] because they haven't coded their solutions with 64-bit Vista in mind," said Jacobs in a statement Monday. "We've taken a different approach to HIPS, by focusing more on catching bad behavior by analyzing code before it executes."

The rancorous exchange amongst Microsoft, Symantec, and McAfee revolves around the former's decision to wall off the kernel in 64-bit Vista. Dubbed "PatchGuard," the technology is designed to stop malicious code such as stealthy rootkits from making changes at the kernel level. Symantec and McAfee, however, went public with objections to PatchGuard, charging that by blocking "kernel hooking" -- intercepting Windows' system calls and modifying the kernel dispatch table -- Microsoft was making it impossible for them to implement advanced security techniques, notably HIPS.

Sophos, said O'Brien, has been able to implement its version of HIPS without kernel hooking. "The method we use does not require access to the kernel. We call it 'genotyping.'" By O'Brien's definition, genotyping scans the file before it executes, looks at the code inside the file to see if it has "potential malicious intent," then blocks the file from executing if a "preponderance of evidence" suggests the file is malicious.

While Sophos dubs that technique and technology a host-based intrusion prevention system, Symantec and McAfee might disagree. Those companies' current products -- which access the 32-bit kernel in Windows XP and will in Vista -- monitor system calls to the kernel as well as changes to the kernel's dispatch table to determine if a file may be malicious. To offer the same kind of protection, Symantec and McAfee have argued, they need access to the inner workings of the 64-bit Vista kernel as well.

"We do have a different opinion about what HIPS means," O'Brien acknowledged.

Still, Sophos is convinced that additional security can be provided to 64-bit Vista without accessing the kernel. After stepping up its efforts over the past several weeks, Sophos has been able to genotype an increasingly large number of viruses and other malware. "We've improved on our ability to identify both known and unknown threats," said O'Brien, who characterized the response from customers as "good."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
IT Careers: 10 Industries with Job Openings Right Now
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/27/2020
How 5G Rollout May Benefit Businesses More than Consumers
Joao-Pierre S. Ruth, Senior Writer,  5/21/2020
IT Leadership in Education: Getting Online School Right
Jessica Davis, Senior Editor, Enterprise Apps,  5/20/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll