backtop


Print 21 comment(s) - last by crystal clear.. on Oct 25 at 6:17 AM

If Sophos and Kaspersky can do it, why can't Symantec and McAfee?

DailyTech has already reported that Kaspersky and Sophos have taken Microsoft's side when it comes to Vista's Kernel PatchGuard. However, the new security feature has come under fire from Symantec and McAfee which prompted Microsoft to add a few APIs to give security firms secure access to the kernel. Despite the perceived generosity by Microsoft, Symantec and McAfee still weren't convinced that Microsoft was working in their best interests.

With Symantec and McAfee publicly airing out their grievances with Microsoft, Sophos has successfully navigated Kernel PatchGuard and is putting its full support behind Microsoft. In fact, Richard Jacobs, the CTO for Sophos, didn't mince words when talking about Symantec and McAfee. "Symantec and McAfee may be struggling with HIPS [host intrusion prevention system] because they haven't coded their solutions with 64-bit Vista in mind. We've taken a different approach to HIPS, by focusing more on catching bad behavior by analyzing code before it executes," said Jacobs.

By not directly accessing the kernel, Sophos is able to offer OS protection without butting heads with Kernel PatchGuard. The company instead uses "genotyping" to scan files for "potential malicious intent" before they have a chance to execute. The file is then blocked from running if a "preponderance of evidence" is found which would indicate that file is malevolent.

While Sophos is confident that it will be ready when Vista hits store shelves, Ron O'Brien, a senior security analyst for Sophos, notes that secure APIs will be beneficial to all as Vista matures as an operating system. "The availability of APIs is going to be important as we go forward [with Vista]. We need to be in on the dialog with Microsoft," said O'Brien. As to the whole Microsoft-Symantec-McAfee spat, O'Brien had this to say, "There are a number of issues unrelated to securing the kernel that are being avoided by having this public debate. I think they see their share of the consumer market at risk."



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Good for Sophos
By saratoga on 10/24/2006 9:54:40 AM , Rating: 3
The last thing I really want is my AV screwing around with kernal space. That opens up all sorts of issues, and ultimately I think users will be better off if the kernel is as closed off to 3rd party code as physically possible.




RE: Good for Sophos
By rushfan2006 on 10/24/2006 10:24:50 AM , Rating: 2
Isn't this a non-issue at this point, since MS already caved in and will grant access of the kernel?

I oculd have sworn I read that story just last week in fact.

If it's all true then what Sophos likes or doesn't likes...or any vendor for that matter is kind of moot now in my view...so why bother arguing over it?


RE: Good for Sophos
By Master Kenobi (blog) on 10/24/2006 11:03:39 AM , Rating: 3
Microsoft is handing out API's with known doors through the kernel, still can't hook into it however, PatchGuard will eat you if you try it. It's more of Microsoft saying that here are the 5 doors in, and we know where they go, and they don't allow certain things in, so don't try it. OH and hooking the kernel like before? Forget it, PatchGuard will shut you down.

So no, Microsoft did not cave, and did not grant access to the kernel, not the way McAfee/Symantec want.


RE: Good for Sophos
By OrSin on 10/24/2006 11:31:25 AM , Rating: 2
It funning all the yelling McAfee/Symantec has done has actually made more people aware that MS is trying to make a secure product. I think thier little hissy fits has back fired big time. It funny seeing people actually defend MS on these boards. I'm nto hug fan of MS but at people can see that they are trying this time around. One tihing is true MS needs others to get better. If no Foxfire then no IE7, if no Linux/Vista would suck alot more :)


RE: Good for Sophos
By FITCamaro on 10/24/2006 11:06:05 AM , Rating: 2
Unfortunately yes. However hopefully the APIs will be restricted to a few read only calls. It still gives avenues to use to get in but I'm guessing Mcafee and Symantec are asking for full read and write permission and that would really suck.

Who knows, if enough of the little guys jump on board supporting Microsoft on this issue, maybe Microsoft will give the finger to the big boys and say tough sh*t. I love it how the EU and those companies claim Microsoft is harming competition in the marketplace for not giving everyone access to everything.

I'm not a Linux or Unix guy so I don't know but is there kernel access to programs in Linux or Unix? If not, why should Microsoft have to provide it? The main problem with Windows in the past has been that you pretty much were forced to run as an admin user all the time which gave access to everything. They're changing that for Vista. Symantec and Mcafee should be happy. Instead they only care about selling their product because if Windows, think of the horror, were somehow more secure, their product won't sell as much.


RE: Good for Sophos
By hubajube on 10/24/2006 11:21:11 AM , Rating: 5
I applaud MS for actually attempting to make their OS secure. Crapafee and Stinkmantic can die on the vine for all I care. Their AV's suck anyways.


RE: Good for Sophos
By Vertigo101 on 10/24/06, Rating: 0
RE: Good for Sophos
By stromgald on 10/24/2006 12:10:59 PM , Rating: 2
What's your point? Whether Symantec is good or not isn't the issue here. The problem is that Symantec is complaining that Microsoft is securing their operating system more and making it difficult for them to sell their product (because it isn't as necessary any more). Symantec and McAfee are trying to get Microsoft to open up their software to more viruses and malware so that their product will be more effective. That's the stupidity of it all.


RE: Good for Sophos
By Vertigo101 on 10/24/2006 1:55:45 PM , Rating: 2
I agree that Symantec's complaints against Vista are ridiculous, but there seems to be a lot of baseless hate for Symantec products in general that is seeping through and muddling the topic.

quote:
Crapafee and Stinkmantic can die on the vine for all I care. Their AV's suck anyways.


This is a perfect example of why I mentioned the corporate products.
quote:
What's your point? Whether Symantec is good or not isn't the issue here.

It seems that a few posters are making that the issue.


RE: Good for Sophos
By Samus on 10/24/2006 9:59:12 PM , Rating: 2
They aren't granting access to the kernel, but a shadow copy of the kernels' memory space through an API. In reality it doesn't help anyone, but it's a non-issue, as you said, because accessing the kernel doesn't help anyone if a) the kernel is already secure ala PatchGuard and b) a workaround to detect and stop rogue code from executing is used without calling the kernel. Both Sophos and Kaspersky have taken different, 100% effective approaches to do this.

Hopefully they both patented their approaches so McAfee and Symantec have to license them, because I doubt either company has the engineers to come up with anything 'original' being how commercial and corporate they are in nature.


RE: Good for Sophos
By tbrand68 on 10/24/2006 12:01:11 PM , Rating: 2
Just curious, do the linux antivirus software have access to the linux kernal?


RE: Good for Sophos
By Etern205 on 10/24/2006 12:45:42 PM , Rating: 2
Not sure.
But I'm glad that MS got backed up by
Sophos. This proves that you really
don't need to access the kernal to
write a good product.

Screw Symantec and McAfee, they're a
disgrace to the whole AV industry.


RE: Good for Sophos
By mridion on 10/24/2006 7:55:47 PM , Rating: 2
Linux programs can load modules into the kernel if the kernel is compiled with module support. If the kernel is compiled without module support then it will not allow code to be injected (unless via some kernel exploit).

In most instances and probably for all distributions prepackaged kernels module support is enabled


This isn't socialism
By stromgald on 10/24/2006 11:30:47 AM , Rating: 3
"Symantec and McAfee still weren't convinced that Microsoft was working in their best interests"

Why does Symantec or McAfee think Microsoft is obligated to work in their best interests? Microsoft should be concerned just with their own best interests, and that generally means providing a good, secure product to their customers so they can make money.

It's called a capitalist economy and everyone is supposed to only look out for themselves. Sometimes problems in the system do crop up called negative externalities (i.e. pollution, collusion, etc.), but the government is there to take care of that when it arises.

I doubt Symantec and McAfee's business plan getting wiped out by newer, better technology constitues a negative externality. That's the main reason why the government isn't stepping in and why the two companies aren't pleading their case to the government. McAfee and Symantec just need to suck it up and revise their business strategy.




RE: This isn't socialism
By bobdeer1965 on 10/24/2006 2:22:24 PM , Rating: 2
I am a small business owner who owns a oneperson mobile computer repair company. I absolutely Love Norton & McAfee. I get a lot of my work from crashed computers with these two programs on them. And I personally have had to fix at least ten systems that crashed when people upgraded from Norton 2005 to 2006. Why would Norton do this to their own product??? I have never had to repair a virused up computer that has had AVG antivirus on it. Figure that one out. Figure out what I use at home on my own systems. Also what do you think my opinion is of Norton & McAfee? They have grown too big & bloated.


duh
By msva124 on 10/24/2006 5:51:20 PM , Rating: 2
quote:
The company instead uses "genotyping" to scan files for "potential malicious intent" before they have a chance to execute. The file is then blocked from running if a "preponderance of evidence" is found which would indicate that file is malevolent.


Yeah, cause I'm sure virus writers won't test their work on a computer with AV software or anything.




RE: duh
By Christopher1 on 10/25/2006 1:17:20 AM , Rating: 2
Actually, from what I have heard, most of them don't. They just release the virus for testing by 'idiots' as I call them, and then see what the 411 is.

If it's good, they release it into the wild. If it's bad, they don't.


Good reference material
By crystal clear on 10/25/2006 6:17:48 AM , Rating: 2
Pot calling kettle black?
By azmodean on 10/24/06, Rating: -1
RE: Pot calling kettle black?
By masteraleph on 10/24/2006 10:14:22 AM , Rating: 5
Only in this case they are. Period. Nothing should have access to the kernel, and I don't have any particular sympathy for Symantec or Mcaffee. The fact that Sophos and Kapersky have no problems with this tells me that there is clearly a way to be an effective antivirus scanner without kernel access, and that Symantec or Mcaffee aren't willing/able to pull this off. Tell me again why I should have sympathy for a company asking to do something that will potentially compromise system stability when there are alternative methods available?


RE: Pot calling kettle black?
By Laitainion on 10/24/2006 10:22:10 AM , Rating: 3
I don't understand your logic, this is how arguments work. Mcafee and Norton say PatchGuard is bad for these reasons, Sophos have proved that those reasons are bogus, backed up with a working example.
More to the point, Mcafee and Norton's complaint is they can't hook into the kernel, which Microsoft has been trying to stop people from doing a long time. This is because the kernel hooks aren't documented or supported, and interfere with the operation within the kernel.
Look at the arguments, even without Sophos offering 'proof' (granted we haven't seen the solution), I still believed that their claims to *need* access to the kernel only proved their incompetence at best.


"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki