DailyTech has already reported that Kaspersky and Sophos
have taken Microsoft's side when it comes to Vista's Kernel PatchGuard. However,
the new security feature has come under fire from Symantec and McAfee which
prompted Microsoft to add a few APIs to give security
firms secure access to the kernel. Despite the perceived generosity by
Microsoft, Symantec and McAfee still weren't
convinced that Microsoft was working in their best interests.
With Symantec and McAfee publicly airing out their
grievances with Microsoft, Sophos
has successfully navigated Kernel PatchGuard and is putting its full
support behind Microsoft. In fact, Richard Jacobs, the CTO for Sophos, didn't
mince words when talking about Symantec and McAfee. "Symantec and McAfee
may be struggling with HIPS [host intrusion prevention system] because they
haven't coded their solutions with 64-bit Vista in mind. We've taken a
different approach to HIPS, by focusing more on catching bad behavior by
analyzing code before it executes," said Jacobs.
By not directly accessing the kernel, Sophos is able to
offer OS protection without butting heads with Kernel PatchGuard. The company
instead uses "genotyping" to scan files for "potential malicious
intent" before they have a chance to execute. The file is then blocked
from running if a "preponderance of evidence" is found which would
indicate that file is malevolent.
While Sophos is confident that it will be ready when Vista
hits store shelves, Ron O'Brien, a senior security analyst for Sophos, notes
that secure APIs will be beneficial to all as Vista matures as an operating
system. "The availability of APIs is going to be important as we go
forward [with Vista]. We need to be in on the dialog with Microsoft," said
O'Brien. As to the whole Microsoft-Symantec-McAfee spat, O'Brien had this to
say, "There are a number of issues unrelated to securing the kernel that
are being avoided by having this public debate. I think they see their share of
the consumer market at risk."