Sophos thinks that Symantec and McAfee should have been better prepared for Vista.

Sophos is recommending that system administrators ask their security vendors if they are capable of properly protecting them on the forthcoming 64-bit version of Vista, as arguments continue regarding access to Microsoft's operating system code (kernel). Sophos claims that its Anti-Virus will offer full protection against malware threats on Vista, and suggests that some security vendors may not have given sufficient thought to the new operating system when developing their products.

Anti-virus firms Symantec and McAfee have recently made high-profile complaints that they are being "locked out" of the Vista operating system kernel by Microsoft's PatchGuard prevention system. They argue that this is preventing them from continuing to develop pro-active protection against new malware, sometimes referred to as 'host intrusion prevention' or 'HIPS'. They claim this action is anti-competitive.

However, Sophos argues that its approach to HIPS technology has met with no problems on either the low-spec or the high-spec versions of Windows Vista. In addition, Sophos claims that Microsoft has so far provided all the interfaces that Sophos needs for providing this form of protection.

"Symantec and McAfee may be struggling with HIPS because they haven't coded their solutions with high-spec Vista in mind," said Richard Jacobs, CTO of Sophos. "We've taken a different approach, by focusing on catching bad behaviour before it has a chance to occur. Additionally, we are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert them. That's why we're ready for 64-bit Vista, and others aren't."

Sophos believes that PatchGuard is a positive step by Microsoft to improve security in Windows Vista, and is not in itself anti-competitive, provided that Microsoft delivers on its commitment to provide the same level of kernel support and integration to third party security vendors as it does to its own security product team.

"It's clearly the case that we and other vendors will now have some dependency on Microsoft to deliver kernel interfaces for new security innovations, which could slow us all down," continued Jacobs. "However this is more than compensated for by the additional security offered by Vista. PatchGuard is a step in the right direction for customers, and we believe that security vendors should embrace and work with PatchGuard rather than fight it."

We asked Symantec for a comment but they declined. However, we heard from McAfee's Siobhan MacDermott, Vice President, Worldwide Corporate Communications, who wrote:

"It is crucial that readers understand the difference between McAfee and those companies that focus on anti-virus software alone. Single-product vendors, like Sophos, may well not have an issue with Microsoft. However, for a vendor like McAfee, that offers its customers comprehensive security protection, full and unfettered access to the kernel is vital if we are to protect users as they are currently protected with XP.

For years, independent security developers have partnered with Microsoft to ensure that customers have the safest computing environment. However, all that seems to have changed with Vista, because Microsoft is denying computer security companies access to Vista's underlying technology. Microsoft's flawed logic will only result in making computers more vulnerable to viruses and other attacks because we will not able to get into and monitor the kernel, which allows us to provide security at the operating system level.

To protect customers from the bad guys, you don't lock out the good guys. Internet security is everyone's business, and we hope that Microsoft will return to the collaborative approach that has served customers well in the past."

It is difficult to evaluate the validity of McAfee's argumentation without deep knowledge of their technology and understanding of how they might do the same things differently. It is true that Sophos has a more narrow product range than either Symantec or McAfee. However, it is difficult to understand why the types of products marketed by McAfee and not found in Sophos' portfolio, would in particular require kernel hooks or kernel modifications.

We surely haven't heard the last about this...

--Ed

Related links: (Open in a new window.)
chi-publishing.com/index.php?newsID=1219
www.sophos.com/pressoffice/news/articles/2006/10/sophos-vista.html
www.sophos.com/pressoffice/news/articles/2006/10/sophos-innovation.html

View printable version (opens in new window)
Back