Why Microsoft PatchGuard API's aren't enough: Symantec VP responds

The issue of PatchGuard is a vitally important one, and we’re as concerned as the rest of the security community about what exactly will be available from Microsoft.

My post yesterday on Symantec VP Rowan Trolloppe’s comments on PatchGuard garnered interesting responses (I also received an email from a CEO of another security company, quite confused).

Trollope responds as follows:

Patchguard prevents security vendors from patching into the OS.

Microsoft says that if you want to patch the OS, you should only use supported APIs.

We use all APIs available to us, but there are still areas where MS has not provided APIs.

Therefore, with Patchguard, security technologies which rely on patching the operating system will no longer work.

So the next question is WHAT security relies on patching the OS? The simplest example is a technology we call Tamper Protection.

So what is Tamper Protection, and why is it important? A couple of year ago, hackers realized that the best way to be effective on a system was to first shut down the security software, then go about business. Symantec created a feature called Tamper Protection to protect our application against attack from these retro-viral threats. Because there were (and are) no available APIs to do this sort of thing, we had to patch the Kernel. We have done so, and it is working very well.

However, Tamper Protection is just one example which is easy to explain. We presently have other technologies such as Behavior Blocking and HIPS which rely on patching the OS. The more general problem illustrated by the Tamper Protection example is as follows: Currently when a security company needs to provide security against a certain class of threat, we are able to do so even if Microsoft does not offer an API. With PatchGuard Microsoft is stepping in and changing the rules. Adding insult to injury, they haven’t even provided APIs for all the security that we have today.

Next, can Symantec get around Patchguard? Of course we can, in fact we have already published a whitepaper on the subject. Here is the problem: Microsoft has told us that IF we put in code to circumvent Patchguard, they will release a patch which will go out through Windows Update which will cause our workaround to bluescreen the computer.

We of course cannot pursue a path when Microsoft tells us that they will bluescreen our customers machines. Hackers on the other hand have no such issues. Once they workaround patchguard (which they already have), they don’t really care if the system becomes unstable or bluescreens or anything else. So in fact Patchguard works in favor of hackers in this case.

Folks, this is a real issue. Microsoft has created a PR coup by “agreeing” to give APIs to security companies. It’s a red herring.

The security industry needs full access to the kernel. Period.