Select Page

Readers of this blog have no doubt heard about the battles between the security community (vocalized through the efforts of Symantec and McAfee) and Microsoft on the issue of PatchGuard.

Believe me: It’s a serious issue.  

PatchGuard effectively locks out the kernel, ostensibly to hackers, but also to other vendors.  As security vendors, it is absolutely vital that we have access to the kernel.  And considering that the chances are high that hackers will break PatchGuard, security companies need access even more urgently.

Rowan Trollope, Symantec’s VP of Consumer Products and Solutions has strong words on this issue. Trollope is the guy in charge of all the development of products like Norton Antivirus, Norton Internet Security and the like. 

If anyone has to deal with this problem, it’s him.

And he doesn’t mince words. I’ve had some email traffic with him, and he was kind enough to allow me to reprint some of his comments:

On PatchGuard:

“PatchGuard hamstrings security providers, and leaves customers exposed to many of today’s scariest threats.  These threats, such as Infostealers, Backdoors and Trojans are built to disable security products.”

So, really, which threats specifically will customers potentially be exposed to with Microsoft’s Patchguard policy?

“Well, I have a list here of 25 recent malware samples just from the last few months.  To name just a few: Infostealer.Wowcraft, Backdoor.Beasty.J and Trojan.Rootserv.  Today, Norton Antivirus and Norton Internet Security protect customers against these types of threats with advanced protection technology.  On Vista 64-bit, Patchguard disables this advanced technology, leaving customers exposed.”

Have you been working with Microsoft on this, and what do you want them to do about it?

“On behalf of our customers, we have made this clear to Microsoft for well over two years.  While it has been made painfully clear that customers will be exposed to these nasty threats by Microsoft’s choices, they continue to dig in their heels and refuse to work with the security industry.    We have proposed alternative, specifically, we do NOT want Patchguard removed or disabled; we have asked Microsoft to provide security vendors with a secure API which allows Patchguard to function as designed, but allows us to do our jobs as well.  With this API, customers will be allowed to choose best of breed security technology, and continue to enjoy the same level of protection they have come to expect.”

But hasn’t Microsoft said that with Patchguard, they are simply asking for Security companies to use the supported security related APIs, and not undocumented system hooks?

“There has been a lot of confusion based on what Microsoft has said publicly. 

First, to be clear, Symantec already uses all available security related APIs provided by Microsoft. 

The key word here is “available”; there are no available APIs for these advanced protection technologies we offer today.  

Second, Microsoft has said that this is not anti-competitive behavior since they themselves are also limited to the supported APIs.  This is a convenient position since Microsoft themselves do not offer any of the advanced protection technologies which go above and beyond the available APIs. 

If and when they get around to protecting customers against today’s threats, they alone can add the APIs necessary.”

So what happens when 64-bit Vista comes out?

“Unfortunately for customers, this will be too little too late.  When Vista 64 gets released, we will not have the APIs we need, and Microsoft expects customers to stand-by, unprotected, waiting for “multiple upcoming Windows releases as we understand the exact requirements”.  

In summary, this issue is simple and the facts speak for themselves; Patchguard hamstrings security providers, and leaves customers exposed.”

Believe me, this thing ain’t over. 

Alex Eckelberry