Both Sides Make Good
Points"> "On the issue of innovation, were basically saying the same thing, but in the other direction," said Sarah Hicks, vice president of consumer product management at Symantec, based in Cupertino, Calif. "When we talk about PatchGuard, third-party software companies are at a disadvantage when it comes to innovating because its like a lock box [denying kernel access]. But yet its already been hacked, and the only way to fix PatchGuard is to patch it, which is the old way to secure software."Behavior monitoring technologies that use kernel monitoring to fight virus activity are the cutting edge in product innovation, while using security patches, as Microsoft has to update PatchGuard, is an outdated approach, she said. Symantec would like to see Microsoft lower its restrictions on accessing the kernel to allow its technologies and those of other vendors to continue operating as they do today. "Were not saying open it up to everyone; open it up in a certified way. Tell security vendors that they can build behaviorally-based technologies to help us protect the kernel," said Hicks. "Were all for a better, more hardened OS, thats not the issue. We want them to let us do our job and innovate on the ways that we protect; dont take us back four years and tell us we cant play there because theyre the only ones that can write the patches." Industry analysts find strong points in both companies arguments, but observe that the problem could be solved easily if Microsoft decides to relax its policies and allow trusted security vendors to circumvent PatchGuard specifically. As many enterprises already employ host-based IPS (intrusion protection systems) that access the kernel, and Microsoft itself will retain some ability to manipulate the Vista kernel, there is a need for the warring parties to find common ground, said John Pescatore, analyst with Gartner, based in Stamford, Conn. "Microsoft will still be able to modify the kernel as part of its Windows update process, so theyre not really saying it never needs to be modified, they will need to do so and will have a mechanism to do that," Pescatore said. "Locking down the kernel is a badly needed technology that should have been done years ago, but the issue there is still a need to allow good programs to hook into the kernel too." Pescatore said that by not allowing kernel access right away, Microsoft will likely be forced to offer it in service pack updates to Vista. It will then need to ensure that whatever methods it provides to security companies to do so cant be used as a method of attack by hackers, which would defeat the purpose of the system in the first place. McAfee chides Microsoft over Vista security policies. Click here to read more. As much as the software giant maintains it will not allow PatchGuard exceptions at any point, Microsoft may need to change its tune to keep enterprise customers happy, he said. Another issue to consider is Microsofts leap into the security segment with other standalone products, although the company has not launched products that would compete directly with IPS systems, or other behavior-based technologies. Based on its monopoly status in the operating system sector, the company must be doubly careful to appear that it is not trying to negatively affect competition in that market via its work in Vista, according to Pescatore. The analyst added that enterprises should have the choice to say they dont want anything modifying the kernel or that they want to allow it, and that PatchGuard could be made into a systems administrator-level choice for enterprise PCs and servers. "If Microsoft didnt sell any security products, everyone would think they did a great thing with PatchGuard, and that theres no bigger story, but since theyre selling products and only they can touch the kernel, thats not a level playing field," he said. "At the end of the day, Microsoft isnt doing anything to give its existing security products an advantage, but they are changing the game for the other players. They are removing some choice, especially where many enterprises will feel they do want to use host-based IPS." Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Hicks said that in effect, by taking Symantecs ability to monitor the kernel for virus behavior away, it is setting the security software industry back, and making it easier for hackers to attack the new OS.