Question... What with all the recent furore over PatchGuard in Vista x64 and
Symantec & McAfee's inability to do what Kapersky and Sapho's do, I found
myself wondering something...

WHY is there no PatchGuard in the 32bit version? I saw a vague mention
about backwards compatibility, but pfft to that I say. Properly written
software doesn't need kernel access, and quite frankly, I'd like my 32bit
system to be a bit better protected thank you very much! Symantec and
McAfee can sod off until they learn to program properly.

So, MS, please... Why is there no PatchGuard in the 32 bit version, and can
we have it please? Even if it's something we have to switch on...

Here is a question for you then. If a file is being opened, not executed,
how can you tell if it contains a virus? If a program is trying to load a
DLL in your address space how can you monitor its actions? How many things
that OneCare does requires internal information about the OS? How can you
do something like RootKitRevealer (now owned by Microsoft) without data not
provided to normal users? True, reverse engineering can help but reverse
engineering is prohibited in most EULAs and we in the US do not have a legal
shield as some in other countries. Being able to see if the registry and
file system are being 'hidden' by another driver is mandatory to provide
rootkit protection.

There are other 'features' that some antivirus and firewall products need or
want to provide to their users that require interfaces not available. If a
DLL or a program is sending or receiving information over the internet how
can it know what information is being transferred and what will happen next?
Also don't forget the products must work on XP, 2003, Vista, and frequently
2000 as well even though the supplied interfaces have changed. How can you
see if a packet coming in is destined for a program that has a vulnerability
to it?

PatchGuard is a good idea. It would be much better if Microsoft was not
trying to 'Netscape' other security vendors. Why does Microsoft no long
have any antivirus tests in DTM? IO stress has also been dropped for
antivirus products. Maybe it was because of antitrust issues, but it also
means that some of the smaller players may have quality issues.

"Lorne Smith" wrote in message
...
Question... What with all the recent furore over PatchGuard in Vista x64
and Symantec & McAfee's inability to do what Kapersky and Sapho's do, I
found myself wondering something...

WHY is there no PatchGuard in the 32bit version? I saw a vague mention
about backwards compatibility, but pfft to that I say. Properly written
software doesn't need kernel access, and quite frankly, I'd like my 32bit
system to be a bit better protected thank you very much! Symantec and
McAfee can sod off until they learn to program properly.

So, MS, please... Why is there no PatchGuard in the 32 bit version, and
can we have it please? Even if it's something we have to switch on...

I fail to see how those actions have any bearing on PatchGuards job of
protecting the kernel. MS have provided the interfaces needed for the AV
peopel to do their jobs. Kapersky, Sophos, AVG, NOD32, Avast.. They all
manage to provide AV and protection to the OS, and some of them even have
HIPS functioning. All with pre-existing interfaces which don't try to mess
with the kernel.

I can see no sensible reason why PatchGuard exists in the 64bit edition, but
not in the 32bit edition. This is why I'm asking the question as to why.
At some point, backwards compatibility needs to be either dropped, or
seriously reduced. At least for software that tries to mess with the OS.
Keeping it in just holds progress back. Of course, if MS do that, people
with bleat and complain like schoolkids, but it's MS's software, they should
be able to do what they want with it. They never guaranteed to all these
software vendors that their software would work in future versions, so they
should have to worry if they don't.



"David J. Craig" wrote in message
...
Here is a question for you then. If a file is being opened, not executed,
how can you tell if it contains a virus? If a program is trying to load a
DLL in your address space how can you monitor its actions? How many
things that OneCare does requires internal information about the OS? How
can you do something like RootKitRevealer (now owned by Microsoft) without
data not provided to normal users? True, reverse engineering can help but
reverse engineering is prohibited in most EULAs and we in the US do not
have a legal shield as some in other countries. Being able to see if the
registry and file system are being 'hidden' by another driver is mandatory
to provide rootkit protection.

There are other 'features' that some antivirus and firewall products need
or want to provide to their users that require interfaces not available.
If a DLL or a program is sending or receiving information over the
internet how can it know what information is being transferred and what
will happen next? Also don't forget the products must work on XP, 2003,
Vista, and frequently 2000 as well even though the supplied interfaces
have changed. How can you see if a packet coming in is destined for a
program that has a vulnerability to it?

PatchGuard is a good idea. It would be much better if Microsoft was not
trying to 'Netscape' other security vendors. Why does Microsoft no long
have any antivirus tests in DTM? IO stress has also been dropped for
antivirus products. Maybe it was because of antitrust issues, but it also
means that some of the smaller players may have quality issues.

"Lorne Smith" wrote in message
...
Question... What with all the recent furore over PatchGuard in Vista x64
and Symantec & McAfee's inability to do what Kapersky and Sapho's do, I
found myself wondering something...

WHY is there no PatchGuard in the 32bit version? I saw a vague mention
about backwards compatibility, but pfft to that I say. Properly written
software doesn't need kernel access, and quite frankly, I'd like my 32bit
system to be a bit better protected thank you very much! Symantec and
McAfee can sod off until they learn to program properly.

So, MS, please... Why is there no PatchGuard in the 32 bit version, and
can we have it please? Even if it's something we have to switch on...

The other problem is that PatchGuard cannot protect the kernel from other
kernel components. It just can't be done. All it will do is stop the
security software companies that can't get their drivers signed if they do
it. The mistake was not using ring 1 for drivers when NT was developed. Of
course, we not have VM support in hardware and the OS becomes a ring 1
program running under it. It will become viral code that will attack the OS
by becoming a hypervisor. Then nothing the OS or security companies do will
protect your system. You can't stop the system from enabling a hypervisor
if you can't patch the OS and even then it will be just like a lot of viral
detection today in that it will be reactive instead of proactive.
Signatures will be the only solution and even then they are sometimes
defeated, not updated, or don't know about a zero day attack.

The old days of protecting against boot record viral code was much simpler.
It has gotten worse and it will continue to worsen because many of the
current attacks are motivated by money and not just bragging rights. More
and more people are doing financial transactions over the internet than in
the days of DOS and Windows 3.x. I have heard that Kapersky does or has
done a lot of hooking, but I may be wrong. I have never used any of those
you listed, so I can't say for sure.

You didn't answer my question about how much undocumented access does
OneCare use. It also rates rather low on most of the reviews I have seen.

"Lorne Smith" wrote in message
news
I fail to see how those actions have any bearing on PatchGuards job of
protecting the kernel. MS have provided the interfaces needed for the AV
peopel to do their jobs. Kapersky, Sophos, AVG, NOD32, Avast.. They all
manage to provide AV and protection to the OS, and some of them even have
HIPS functioning. All with pre-existing interfaces which don't try to mess
with the kernel.

I can see no sensible reason why PatchGuard exists in the 64bit edition,
but not in the 32bit edition. This is why I'm asking the question as to
why. At some point, backwards compatibility needs to be either dropped, or
seriously reduced. At least for software that tries to mess with the OS.
Keeping it in just holds progress back. Of course, if MS do that, people
with bleat and complain like schoolkids, but it's MS's software, they
should be able to do what they want with it. They never guaranteed to all
these software vendors that their software would work in future versions,
so they should have to worry if they don't.



"David J. Craig" wrote in message
...
Here is a question for you then. If a file is being opened, not
executed, how can you tell if it contains a virus? If a program is
trying to load a DLL in your address space how can you monitor its
actions? How many things that OneCare does requires internal information
about the OS? How can you do something like RootKitRevealer (now owned
by Microsoft) without data not provided to normal users? True, reverse
engineering can help but reverse engineering is prohibited in most EULAs
and we in the US do not have a legal shield as some in other countries.
Being able to see if the registry and file system are being 'hidden' by
another driver is mandatory to provide rootkit protection.

There are other 'features' that some antivirus and firewall products need
or want to provide to their users that require interfaces not available.
If a DLL or a program is sending or receiving information over the
internet how can it know what information is being transferred and what
will happen next? Also don't forget the products must work on XP, 2003,
Vista, and frequently 2000 as well even though the supplied interfaces
have changed. How can you see if a packet coming in is destined for a
program that has a vulnerability to it?

PatchGuard is a good idea. It would be much better if Microsoft was not
trying to 'Netscape' other security vendors. Why does Microsoft no long
have any antivirus tests in DTM? IO stress has also been dropped for
antivirus products. Maybe it was because of antitrust issues, but it
also means that some of the smaller players may have quality issues.

"Lorne Smith" wrote in message
...
Question... What with all the recent furore over PatchGuard in Vista x64
and Symantec & McAfee's inability to do what Kapersky and Sapho's do, I
found myself wondering something...

WHY is there no PatchGuard in the 32bit version? I saw a vague mention
about backwards compatibility, but pfft to that I say. Properly written
software doesn't need kernel access, and quite frankly, I'd like my
32bit system to be a bit better protected thank you very much! Symantec
and McAfee can sod off until they learn to program properly.

So, MS, please... Why is there no PatchGuard in the 32 bit version, and
can we have it please? Even if it's something we have to switch on...

According to MS, OneCare uses the same interfaces they've made available to
all the third party security providers. As to it's capability, yes there
are better products out there... McAfee and Symantec though, are most
definately NOT two of them!

As to your other points, I don't have as deep an understanding of the
internals of kernel level access, and with MS's statement that any
successfull attacks on PatchGuard will result in them releasing updates to
it, that does make things reactive rather than proactive, but the fact
still remains that other security providers are NOT being prevented from
doing their jobs. This is all down to McAfee and Symantec having written
their products in such as way as to make rewriting them to follow the rules,
laid down YEARS ago, financially inconvenient. Well, tough luck!

PatchGuard isn't the be all and end all of security, but it IS a large step
in the direction of a far safer OS. I just want to know why they've seen
fit to protect the 64bit systems, yet leave the 32bit systems less
protected. The same level of protection should be available to both.


"David J. Craig" wrote in message
...
The other problem is that PatchGuard cannot protect the kernel from other
kernel components. It just can't be done. All it will do is stop the
security software companies that can't get their drivers signed if they do
it. The mistake was not using ring 1 for drivers when NT was developed.
Of course, we not have VM support in hardware and the OS becomes a ring 1
program running under it. It will become viral code that will attack the
OS by becoming a hypervisor. Then nothing the OS or security companies do
will protect your system. You can't stop the system from enabling a
hypervisor if you can't patch the OS and even then it will be just like a
lot of viral detection today in that it will be reactive instead of
proactive. Signatures will be the only solution and even then they are
sometimes defeated, not updated, or don't know about a zero day attack.

The old days of protecting against boot record viral code was much
simpler. It has gotten worse and it will continue to worsen because many
of the current attacks are motivated by money and not just bragging
rights. More and more people are doing financial transactions over the
internet than in the days of DOS and Windows 3.x. I have heard that
Kapersky does or has done a lot of hooking, but I may be wrong. I have
never used any of those you listed, so I can't say for sure.

You didn't answer my question about how much undocumented access does
OneCare use. It also rates rather low on most of the reviews I have seen.

"Lorne Smith" wrote in message
news
I fail to see how those actions have any bearing on PatchGuards job of
protecting the kernel. MS have provided the interfaces needed for the AV
peopel to do their jobs. Kapersky, Sophos, AVG, NOD32, Avast.. They all
manage to provide AV and protection to the OS, and some of them even have
HIPS functioning. All with pre-existing interfaces which don't try to
mess with the kernel.

I can see no sensible reason why PatchGuard exists in the 64bit edition,
but not in the 32bit edition. This is why I'm asking the question as to
why. At some point, backwards compatibility needs to be either dropped,
or seriously reduced. At least for software that tries to mess with the
OS. Keeping it in just holds progress back. Of course, if MS do that,
people with bleat and complain like schoolkids, but it's MS's software,
they should be able to do what they want with it. They never guaranteed
to all these software vendors that their software would work in future
versions, so they should have to worry if they don't.



"David J. Craig" wrote in message
...
Here is a question for you then. If a file is being opened, not
executed, how can you tell if it contains a virus? If a program is
trying to load a DLL in your address space how can you monitor its
actions? How many things that OneCare does requires internal
information about the OS? How can you do something like RootKitRevealer
(now owned by Microsoft) without data not provided to normal users?
True, reverse engineering can help but reverse engineering is prohibited
in most EULAs and we in the US do not have a legal shield as some in
other countries. Being able to see if the registry and file system are
being 'hidden' by another driver is mandatory to provide rootkit
protection.

There are other 'features' that some antivirus and firewall products
need or want to provide to their users that require interfaces not
available. If a DLL or a program is sending or receiving information
over the internet how can it know what information is being transferred
and what will happen next? Also don't forget the products must work on
XP, 2003, Vista, and frequently 2000 as well even though the supplied
interfaces have changed. How can you see if a packet coming in is
destined for a program that has a vulnerability to it?

PatchGuard is a good idea. It would be much better if Microsoft was not
trying to 'Netscape' other security vendors. Why does Microsoft no long
have any antivirus tests in DTM? IO stress has also been dropped for
antivirus products. Maybe it was because of antitrust issues, but it
also means that some of the smaller players may have quality issues.

"Lorne Smith" wrote in message
...
Question... What with all the recent furore over PatchGuard in Vista
x64 and Symantec & McAfee's inability to do what Kapersky and Sapho's
do, I found myself wondering something...

WHY is there no PatchGuard in the 32bit version? I saw a vague mention
about backwards compatibility, but pfft to that I say. Properly
written software doesn't need kernel access, and quite frankly, I'd
like my 32bit system to be a bit better protected thank you very much!
Symantec and McAfee can sod off until they learn to program properly.

So, MS, please... Why is there no PatchGuard in the 32 bit version, and
can we have it please? Even if it's something we have to switch on...

I would like to know your source for the information about McAfee and
Symantec. I believe that the 32/64 bit problem is that so many programs for
the 32 bit platform do use hooking techniques, including some from
Microsoft, that it is not possible for them to implement PatchGuard without
having their large accounts get upset. Also don't forget that there is a
large amount of software out there that you never see. It may be written
for internal use at a company or has a very narrow target audience but may
be critical to a large company.

"Lorne Smith" wrote in message
...
According to MS, OneCare uses the same interfaces they've made available
to all the third party security providers. As to it's capability, yes
there are better products out there... McAfee and Symantec though, are
most definately NOT two of them!

As to your other points, I don't have as deep an understanding of the
internals of kernel level access, and with MS's statement that any
successfull attacks on PatchGuard will result in them releasing updates to
it, that does make things reactive rather than proactive, but the fact
still remains that other security providers are NOT being prevented from
doing their jobs. This is all down to McAfee and Symantec having written
their products in such as way as to make rewriting them to follow the
rules, laid down YEARS ago, financially inconvenient. Well, tough luck!

PatchGuard isn't the be all and end all of security, but it IS a large
step in the direction of a far safer OS. I just want to know why they've
seen fit to protect the 64bit systems, yet leave the 32bit systems less
protected. The same level of protection should be available to both.


"David J. Craig" wrote in message
...
The other problem is that PatchGuard cannot protect the kernel from other
kernel components. It just can't be done. All it will do is stop the
security software companies that can't get their drivers signed if they
do it. The mistake was not using ring 1 for drivers when NT was
developed. Of course, we not have VM support in hardware and the OS
becomes a ring 1 program running under it. It will become viral code
that will attack the OS by becoming a hypervisor. Then nothing the OS or
security companies do will protect your system. You can't stop the
system from enabling a hypervisor if you can't patch the OS and even then
it will be just like a lot of viral detection today in that it will be
reactive instead of proactive. Signatures will be the only solution and
even then they are sometimes defeated, not updated, or don't know about a
zero day attack.

The old days of protecting against boot record viral code was much
simpler. It has gotten worse and it will continue to worsen because many
of the current attacks are motivated by money and not just bragging
rights. More and more people are doing financial transactions over the
internet than in the days of DOS and Windows 3.x. I have heard that
Kapersky does or has done a lot of hooking, but I may be wrong. I have
never used any of those you listed, so I can't say for sure.

You didn't answer my question about how much undocumented access does
OneCare use. It also rates rather low on most of the reviews I have
seen.

"Lorne Smith" wrote in message
news
I fail to see how those actions have any bearing on PatchGuards job of
protecting the kernel. MS have provided the interfaces needed for the AV
peopel to do their jobs. Kapersky, Sophos, AVG, NOD32, Avast.. They all
manage to provide AV and protection to the OS, and some of them even have
HIPS functioning. All with pre-existing interfaces which don't try to
mess with the kernel.

I can see no sensible reason why PatchGuard exists in the 64bit edition,
but not in the 32bit edition. This is why I'm asking the question as to
why. At some point, backwards compatibility needs to be either dropped,
or seriously reduced. At least for software that tries to mess with the
OS. Keeping it in just holds progress back. Of course, if MS do that,
people with bleat and complain like schoolkids, but it's MS's software,
they should be able to do what they want with it. They never guaranteed
to all these software vendors that their software would work in future
versions, so they should have to worry if they don't.



"David J. Craig" wrote in message
...
Here is a question for you then. If a file is being opened, not
executed, how can you tell if it contains a virus? If a program is
trying to load a DLL in your address space how can you monitor its
actions? How many things that OneCare does requires internal
information about the OS? How can you do something like
RootKitRevealer (now owned by Microsoft) without data not provided to
normal users? True, reverse engineering can help but reverse
engineering is prohibited in most EULAs and we in the US do not have a
legal shield as some in other countries. Being able to see if the
registry and file system are being 'hidden' by another driver is
mandatory to provide rootkit protection.

There are other 'features' that some antivirus and firewall products
need or want to provide to their users that require interfaces not
available. If a DLL or a program is sending or receiving information
over the internet how can it know what information is being transferred
and what will happen next? Also don't forget the products must work on
XP, 2003, Vista, and frequently 2000 as well even though the supplied
interfaces have changed. How can you see if a packet coming in is
destined for a program that has a vulnerability to it?

PatchGuard is a good idea. It would be much better if Microsoft was
not trying to 'Netscape' other security vendors. Why does Microsoft no
long have any antivirus tests in DTM? IO stress has also been dropped
for antivirus products. Maybe it was because of antitrust issues, but
it also means that some of the smaller players may have quality issues.

"Lorne Smith" wrote in message
...
Question... What with all the recent furore over PatchGuard in Vista
x64 and Symantec & McAfee's inability to do what Kapersky and Sapho's
do, I found myself wondering something...

WHY is there no PatchGuard in the 32bit version? I saw a vague
mention about backwards compatibility, but pfft to that I say.
Properly written software doesn't need kernel access, and quite
frankly, I'd like my 32bit system to be a bit better protected thank
you very much! Symantec and McAfee can sod off until they learn to
program properly.

So, MS, please... Why is there no PatchGuard in the 32 bit version,
and can we have it please? Even if it's something we have to switch
on...

Patchgaurd protects the OS from not being infected. Since 64-bit is not
widely adopted as of now, it is easy to adopt this technology in them rather
than on 95% of systems which are 32-bit machines. Many security applications
will simply cease to work had this technology be adopted for 32-bit systems.
Repercursions of that will simply be too tough for Microsoft to handle.

--
Vipin Aravind
http://blogs.explorewindows.com

"Lorne Smith" wrote in message
...
Question... What with all the recent furore over PatchGuard in Vista x64
and Symantec & McAfee's inability to do what Kapersky and Sapho's do, I
found myself wondering something...

WHY is there no PatchGuard in the 32bit version? I saw a vague mention
about backwards compatibility, but pfft to that I say. Properly written
software doesn't need kernel access, and quite frankly, I'd like my 32bit
system to be a bit better protected thank you very much! Symantec and
McAfee can sod off until they learn to program properly.

So, MS, please... Why is there no PatchGuard in the 32 bit version, and
can we have it please? Even if it's something we have to switch on...