Security Vendor Bypasses Microsofts Vista PatchGuard

 
 
By Matt Hines  |  Posted 2006-10-24 Email Print this article Print
 
 
 
 
 
 
 

Authentium contends that it wasn't hard to create a product that defies Vista's kernel protection program, but said it will continue to work with Microsoft to find alternative development techniques.

Security software maker Authentium says that it has created a new version of its flagship product that circumvents the PatchGuard kernel protection technology being added to Microsofts next-generation Vista operating system.

The company, based in Palm Beach Gardens, Fla., maintains that it has built a version of its Authentium ESP Enterprise Platform that can bypass PatchGuard without setting off the desktop alarms produced by the security feature when the Vista kernel is compromised.
ESP Enterprise, an SDK (software development kit) sold by Authentium to telecommunications carriers and so-called managed services providers, offers virus protection, anti-spyware, data recovery, firewall and transaction security capabilities.

PatchGuard, part of the KPP (Kernel Patch Protection) system being included in the 64-bit version of Vista to help protect the OS against rootkits and other advanced forms of malware, has become the center of a storm of controversy between Microsoft and major security software makers. Some companies, including market leaders Symantec and McAfee, have complained that the feature makes it impossible for some of their cutting-edge technologies to interoperate with Vista.

At its core, PatchGuard is meant to block any application from accessing, or "hooking" Vistas kernel commands, a technique utilized by vendors in sophisticated anti-tampering and behavior monitoring tools, and used by hackers in attacking computer systems with rootkits.

Unlike Symantec, McAfee and others who have demanded that Microsoft allow them to access the kernel, and who claim that the Redmond, Wash.-based software giant is blocking them from doing so to advance its own interests in the security software arena, Authentium officials said they have merely circumvented the feature.

Microsoft recently agreed to provide all of its security partners with new APIs, allowing them greater ability to interact with PatchGuard, which will ship with only 64-bit versions of Vista when the OS arrives in November. However, Authentium said that while it is waiting to see the level of kernel access those APIs allow, which has become another topic of continued debate between Microsoft and the security industry, it decided to take matters into its own hands.

Click here to read more about Authentiums software security development tools. When a program of any kind attempts to modify the kernel on a system running PatchGuard, which is already available in 64-bit versions of Microsofts Windows XP OS, the computer produces a blue screen and stops all other Windows applications from running. Authentium said its workaround allows it to access the kernel without incurring the shut-down.

The company specifically said that it is using an element of the kernel meant to help the OS support older hardware to bypass the feature. The loophole allows the companys tools to infiltrate Vistas kernel hooking driver, and get out, without the OS knowing the difference.

Next Page: White hat hackers.



 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel