Why Microsoft PatchGuard API's aren't enough: Symantec VP responds

The issue of PatchGuard is a vitally important one, and we’re as concerned as the rest of the security community about what exactly will be available from Microsoft.

My post yesterday on Symantec VP Rowan Trolloppe’s comments on PatchGuard garnered interesting responses (I also received an email from a CEO of another security company, quite confused).

Trollope responds as follows:

Patchguard prevents security vendors from patching into the OS.

Microsoft says that if you want to patch the OS, you should only use supported APIs.

We use all APIs available to us, but there are still areas where MS has not provided APIs.

Therefore, with Patchguard, security technologies which rely on patching the operating system will no longer work.

So the next question is WHAT security relies on patching the OS? The simplest example is a technology we call Tamper Protection.

So what is Tamper Protection, and why is it important? A couple of year ago, hackers realized that the best way to be effective on a system was to first shut down the security software, then go about business. Symantec created a feature called Tamper Protection to protect our application against attack from these retro-viral threats. Because there were (and are) no available APIs to do this sort of thing, we had to patch the Kernel. We have done so, and it is working very well.