PatchGuard hurts host-based IPS, vendor says

Alex Eckelberry, president of Clearwater, Fla.-based security vendor Sunbelt Software, has been among those critical of Microsoft over its decision to block security vendors from the Vista kernel with its PatchGuard protection. He recently sat down with SearchSecurity.com to discuss how Sunbelt's products are affected by PatchGuard and where he thinks Microsoft went astray. He also talked about some of the threats he's most concerned about these days, including a Trojan named Gromozon and the rise of fake codec programs.

This Content Component encountered an error

Sunbelt was among the vendors concerned about being blocked from the Windows Vista kernel because of the PatchGuard program. Now that Vista has been released to enterprises, are you satisfied with Microsoft's efforts to address those concerns? It's a mixed bag. For us the issues are specific to host intrusion prevention. To do that effectively, we need full kernel access. There's no way around it. We have to see things that are just...

not available without full access. Without that access, what will become of your host-based intrusion prevention products? We are looking at having a version of our Kerio firewall product with limited host-based intrusion prevention (HIPS) functionality under Vista because we won't have application programming interfaces (APIs) until 2008. Our HIPS functionality helps protect against buffer overflow attacks by watching for system functions being called from memory locations where they shouldn't be called. Our Kerio server firewall uses HIPS to provide application lockdowns. But in certain cases, because of PatchGuard, we won't be able to fully support Vista. The bad guys are going to get into the kernel, and we won't be able to help Microsoft stop them. So your concern is strictly with your host intrusion prevention offerings and not the entire product line? For rest of the product line, we're fine.

The security companies are Microsoft's front line of defense, yet we don't have those keys. The faster Microsoft gives us the APIs, the better.
Alex Eckelberry,
presidentSunbelt Software
What does this impasse do to Sunbelt's long-term relationship with Microsoft?
You know, I think that what Microsoft did with PatchGuard was understandable. But they engineered this from a flawed premise, which is that there's a perfect security model for the kernel. They're right that a lot of bad stuff happens at the kernel level. But we could look at it using a real-world analogy: What if you had security guards who didn't have keys to get inside your building? The security companies are Microsoft's front line of defense, yet we don't have those keys. The faster Microsoft gives us the APIs, the better. Sunbelt is a gold-certified Microsoft partner and we have a great relationship. It's just in this one case where we disagree. Are there any negotiations under way to speed things up?
No. Microsoft has made the decision. There's likely no possibility of getting API access before 2008. Symantec and McAfee were particularly critical of Microsoft over PatchGuard, and they were called crybabies by some in the media…
I think the stand they took was absolutely warranted, and I don't think it hurt the overall cause. There is often a general knee-jerk reaction when Symantec and McAfee complain about something Microsoft does, because people will inevitably think they're just whining. However, what Microsoft has been doing with PatchGuard absolutely made their reaction justified. Symantec has a whole team that deals with Microsoft. You can bet their discussions broke down and went from a very diplomatic issue to turning into a press spat.
PatchGuard:
Security Blog Log: The never-ending PatchGuard debate

Column: Microsoft Kernel Patch Protection should be lauded

Microsoft caves to pressure over Vista security

Microsoft: We're not out to crush security vendors
Moving beyond the PatchGuard debate, what are some of the big threats you've been keeping an eye on lately?
Over the last year, we've observed that the classic adware installations have actually decreased in breadth and we're not seeing an increase in the level of machines hit with malware. But we are now seeing nastier types of malware with criminal elements. The most horrific I've seen in my existence is Gromozon. This thing just drips blood. We have only seen it in Italy and fortunately we recently saw it go off the radar, but it does some of the most vicious things you've ever seen.

Gromozon does almost every crafty trick available to avoid detection and removal, including creating its own user account, using rootkit technology, renaming its files, and a whole host of other nasty things. It's your worst nightmare of malware. One concern is that this type of malware could be tweaked and rolled out in other parts of the world. The broader point is that we're seeing programs like this more often.

Sunbelt Software news:
Security Blog Log: Clues point to bot 'sleeper cells'

Security Blog Log: Microsoft and the peril of predatory pricing

Sunbelt shines light on vulnerability assessment

Security vendor warns of massive ID theft ring
You've also blogged a lot about the rise of fake codec programs. Talk about that a bit.
We found them at first over a year ago and now they are more prevalent. It started with porn watchers, but now we believe it might be moving toward regular videos. These codecs claim to be required to improve the user experience. Instead, they install rootkits or other malware. When you try to play the video, you'll get a message that you need to install this "codec." In the past they were primarily for porn, but recently we saw them advertised on a site called moviecodec(dot)net, which looked like it was advertising the ability to watch movies. However, I find it highly unlikely that these codecs will ever be used for YouTube videos and the like. The codecs try to use the extended capabilities of Windows Media Player to insist that you install the malware file. These types of extensions are not available when you upload a file to YouTube. What should IT security pros be doing about these threats?
The security community is actually doing something about it. I've seen just a tremendous growth in the amount of sharing of information occurring with new vetted security research mailing lists and the like. The antivirus community typically was in its own world, with its conferences, and the antispyware community was too fragmented because it was so new. However, we're really seeing people work together.

In terms of technology, I think there is an evolution that needs to occur. There's no reason why antispyware and antivirus can't be blended into [new] hybrid programs. This is something we're doing ourselves with our new CounterSpy 2.0 release. Ultimately, I think everyone will agree that the problem is no longer just "get rid of the virus" or "get rid of spyware." It's "get rid of the crap on my machine and keep it out for good." We've seen this certainly get better, as antivirus companies improve their detection of spyware. But there's always room for improvement.

Dig deeper on Emerging Information Security Threats

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close