McAfee And Symantec
Thursday 5th October, 2006 12:38 Comments: 3
I read this in Jesper's blog, and it summed up how I feel:
McAfee today joined Symantec in complaining about Microsoft making Windows Vista too secure, making it difficult for them to rootkit the OS to do their security voodoo.
[...]
PatchGuard prevents us (the security vendors) from root kitting Windows Vista. PatchGuard is a technology introduced with the AMD 64-bit versions of Windows Server 2003 and Windows XP two years ago, and which also exists on Windows Vista. It prevents software running on the system from hooking certain kernel structures and replacing them, including function hooking. [...] For instance, let's say you wanted to prevent a particular file from showing up when a user lists the contents of a directory. You could hook the function that provides the output of the directory listing so that the call gets routed to your function instead. Your function then calls the original, but modifies the output to your liking, in this case to simply remove the file you wanted to hide. [...] The security vendors have been hooking these types of functions on 32-bit operating systems for years to provide some form of intrusion detection service. On 64-bit platforms this no longer works. Of course, not being able to hook kernel functions will make it much harder for malware to do it as well, thus lessening the need for detection of malicious activity. However, that would also lessen the demand for third-party software to detect malicious activity, which is really McAfee's and Symantec's core problem. In a sense, they have built their business on protecting users of Windows from Microsoft, and Microsoft healing the patient cuts into their business doing the same. As Microsoft's Security Chief Ben Fathi said, the security vendors want Microsoft to "keep the patient sick," and by extension, keep customers at risk, so that the security vendors can keep charging for the healing.
The second issue the vendors are complaining about is the Security Center, which first shipped in Windows XP Service Pack 2. In Windows Vista, instead of allowing vendors to disable Security Center, as they do on Windows XP, Microsoft made it extensible and gave vendors API hooks to harvest information from it. However, this means that, fundamentally, Microsoft still controls the security experience in Windows. That is where the rub lies. When users see something related to security in Windows, Symantec (and McAfee) want them to see a Symantec (or McAfee) logo at the same time so they know that it is Symantec (or McAfee) that protects them, not Microsoft. They are not really providing different functionality; they just don't want users to think Microsoft is responsible for their security. Again, the vendors are building a business on protecting Microsoft's customers from Microsoft's screw-ups, and they can't keep doing that if customers keep seeing that Microsoft is actually doing some of the protecting. Not being able to hide the fact that Microsoft is providing protection is a threat against the security vendor's current business model.
It is a sick eco-system indeed where we have third parties complaining because the first parties are helping their customers be safe.
McAfee today joined Symantec in complaining about Microsoft making Windows Vista too secure, making it difficult for them to rootkit the OS to do their security voodoo.
[...]
PatchGuard prevents us (the security vendors) from root kitting Windows Vista. PatchGuard is a technology introduced with the AMD 64-bit versions of Windows Server 2003 and Windows XP two years ago, and which also exists on Windows Vista. It prevents software running on the system from hooking certain kernel structures and replacing them, including function hooking. [...] For instance, let's say you wanted to prevent a particular file from showing up when a user lists the contents of a directory. You could hook the function that provides the output of the directory listing so that the call gets routed to your function instead. Your function then calls the original, but modifies the output to your liking, in this case to simply remove the file you wanted to hide. [...] The security vendors have been hooking these types of functions on 32-bit operating systems for years to provide some form of intrusion detection service. On 64-bit platforms this no longer works. Of course, not being able to hook kernel functions will make it much harder for malware to do it as well, thus lessening the need for detection of malicious activity. However, that would also lessen the demand for third-party software to detect malicious activity, which is really McAfee's and Symantec's core problem. In a sense, they have built their business on protecting users of Windows from Microsoft, and Microsoft healing the patient cuts into their business doing the same. As Microsoft's Security Chief Ben Fathi said, the security vendors want Microsoft to "keep the patient sick," and by extension, keep customers at risk, so that the security vendors can keep charging for the healing.
The second issue the vendors are complaining about is the Security Center, which first shipped in Windows XP Service Pack 2. In Windows Vista, instead of allowing vendors to disable Security Center, as they do on Windows XP, Microsoft made it extensible and gave vendors API hooks to harvest information from it. However, this means that, fundamentally, Microsoft still controls the security experience in Windows. That is where the rub lies. When users see something related to security in Windows, Symantec (and McAfee) want them to see a Symantec (or McAfee) logo at the same time so they know that it is Symantec (or McAfee) that protects them, not Microsoft. They are not really providing different functionality; they just don't want users to think Microsoft is responsible for their security. Again, the vendors are building a business on protecting Microsoft's customers from Microsoft's screw-ups, and they can't keep doing that if customers keep seeing that Microsoft is actually doing some of the protecting. Not being able to hide the fact that Microsoft is providing protection is a threat against the security vendor's current business model.
It is a sick eco-system indeed where we have third parties complaining because the first parties are helping their customers be safe.
Fab - Thursday 5th October, 2006 15:37
Haha welcome to capitalism my good man! Products only serve the needs of the customer as far as it takes to make a profit. If you can get customers to spend even more money on your product in upgrades then so much the better. Utopian aspirations in regard to the internet died in about the year 2000 I reckon.
It's also about laziness. The 32-bit versions still allow the API hooks (although are frowned upon), and the developers can interact (although not quite as much) with the 64-bit APIs to get information back and forth, but so far they're choosing not to and want to continue to use the old way.
http://www.stepto.com/default/log/displaylog1.aspx?ID=258
http://www.stepto.com/default/log/displaylog1.aspx?ID=258
Here's a good reason why AV companies should work with Windows instead of trying to do things themselves:
Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability
http://www.securityfocus.com/bid/20360
Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability
http://www.securityfocus.com/bid/20360