64-bit systems and anti-malware software

I am sorry but I must strongly disagree with this insinuation.

IMO Tzuk, Ilya and PrevxHelp have all gone to great lengths to make very complicated concepts accessible to the average user, and the comments by these talented individuals are the backbone of this thread.

Please let's give credit where credit is due.

My regards.

 

Oh my goodness, am I the only one who doesn't understand the technical concepts put forth in this thread by the three gentlemen

 

jar⋅gon –noun
1. unintelligible or meaningless talk or writing; gibberish.
2. language that is characterized by uncommon or pretentious vocabulary and convoluted syntax and is often vague in meaning.

I apologise if I misinterpreted your position.

 

Nicely put.
The veil has been lifted.
Those with the darkside versus the Force. ha ha

 

Ultimately this thread's purpose was to serve as an entertaining distraction.
Microsoft only listens to Corporate; even DirectX was a ploy to lock in Corporate.

When Corporate agrees with Tzuk's and Ilya's position, then Microsoft will effect some change, possibly in the form of a service pack with some new APIs, otherwise, this discussion is pretty much moot.

 

.
Well, it has also been educational. I've been considering switching to x64 for a while, and have been wanting to learn more about Patchguard, how security software is implemented, etc. Becoming more aware of the issues has made me more cautious and I feel that's a good thing.

 

@Windchild,

You are missing TZUK's point.

Microsoft history on streamlining progrom to program communication and limiting the points of entry for possible malware comes from undocumented 'features' in a final OS-releases. That is why we needed third party security software in the first place.

So now they are improving their opinion on this. An improveent is PatchGuard, but even within the UAC policy model objects and processes of the same rights category are allowed to perform dll injections.

See Mark's Russinovich presentation on http://eusecwest.com/esw07archive.html for an explanation.

Now it is to say at the least a bit hypocrite attitude, they could have streamlined other more urgent matters first ('official' openings in the OS security model which effect system reliability more)

for ease of understanding (a real world's example):

A museum director has to allow everybody in, due to its function in society. Because of the shelter the museum buildings provide they attract alcoholists and drug abusers who sleep in the interconnecting sheltered pathways. Making them smell awefull.

So now they Museum director hires a security agency and installs toilet ladies to clean the official toilets. Only the museum closes at 21.00 and the premises at 22.00 hours. At 21.15 the security guards leave the premises and the toilet ladies leave the buildings at 21.00 (after locking the toilets).

After a six month evaluation period, they report happily that the offical toilets are cleaner, but the interconnecting building pathaways smell worse (logically when you know that the alcoholists/drug abusers do not spend money on offical toilets, but ~Snip~ at the more quiet parts of the premises, and by nature have learned to evade security guards).

So now they are hiring an extra cleaning service which operates during the day

Consider patchguard the toilet ladies, the security service as being UAC, the ~Snip~ still roaming freely are the allowed side by side intrusions of objects with same rights (the point TZUK is making), the extra cleaning service is the free AV which Microsoft is releasing.

The point I am trying to make
When you keep stepping back, the discussion changes to a concrete very interesting experts opinion's thread, to a discussion on a philosophical level. When you take to much of a helicopter approach, what you say is true, but is not relevant anymore. For sake of clearity I do not argue your right to post, just trying to get you out of your helicopter, back on the ground.

I agree with you that PatchGuard is a step forward and I basically agree that restricting third party access to the kernel will improve OS stability.

But I also agree with Ilya and TZUK that the roll out scheme could have provided a clearer and more structured API to ensure system security OR have the guts to limit side by side intrusions also within UAC (but this would have a to big an impact on commercial software using formerly undocumented features of previous Windows OS-ses).

The guys from PrevX seem to have found a pragmatic approach, their security product uses diffferent (more) security mechanismes, so they can say (without weakening their security promise): we have ways to deal with it.

Emotions aspect in the discussion
Well considering the measures taken and the actions planned (to be released free AV), I do not believe that MicroSoft is only driven by ethical and more profound reasons to improve the security and quality of the digital world. After an unsuccesfull attack on the security industry some other arguments must play a role also in the release calendar.

Back to our real life example:
It turned out that the same city counselor was responsible for reducing drugs abuse (alcohol, any) and the museum. Keeping them (alcoholists, drug abusers) nicely centred at night in the museum, helped to the impression that his anti-drug policy was succesfull, therefore he willingly took a half witted approach to the museum's problem (which was frequented by tourist outside the city, with no right to vote for a city counselor

Yep, agree with Wildest: third party security suppliers directed at the home market (the museum visitors from outside MicroSoft city) wil not be heared by this counselor (MicroSoft) until its (corporate) citizins start to complain about it.



Cheers

Kees

 

Well now, another long and tedious post from me, coming up. We've been warned. But this is the last long one, I promise, before I leave you guys to discuss only expert opinions.

Thanks for trying to explain it to me. However, I don't think I'm missing his point. We just appear to have a completely different point of view on the subject. Which is only normal in any discussion.

Microsoft history on limiting the points of entry for possible malware comes from undocumented 'features' in final OS-releases? Either I don't understand that statement, or I don't agree with it, but I'm not sure which it is. Perhaps a little bit of both.

Microsoft's history on limiting what malware can do traces back to about 1989 at the least, when they started planning Windows NT. The limits and the 'features' aren't all undocumented: on the contrary, the security model of NT is documented well, complete with the rights and privileges of limited users and the all-conquering power of admins. The idea being least privilege. To limit the damage malicious users or programs can do, run them in a limited user context - don't give them all-powerful admin privileges. MS made a mistake, from the security perspective, with the default configuration, trying to make things as easy to use as possible by making everyone admin. That probably helped buy them the market share, but at the cost of lots of deep malware infections. But understanding things like this is pretty useful if you're interested in knowing why MS does something - they're a business.

As for points of entry? What's undocumented about them, except the vulnerabilities, which are obviously undocumented in any software until they have been discovered?

Some people have been able to run Windows NT systems safely without AVs and anti-malwares etc for over 15 years, using just the very well documented features of the operating system. Are those features perfect? No, nothing is. But they're pretty good. They could still be better, of course. And as it happens, they are getting better with each release of Windows.

Is third party security software needed? Depends on what you mean by needed. If it means it's necessary, then no, it's not needed. If it means it's useful to many people, then yes, it's needed. But I'd rather say useful than needed, when useful is closer to the truth.

But to put it short, my point here is that security in Windows isn't achieved through some undocumented hacks here and there. The OS provides a simple, effective way to limit what software and users can do by providing accounts with different levels of access to the system - just like any reasonably modern OS. Can you then run some third party software on top of it to do even 'better'? Sure, you can. And I doubt MS is planning on breaking all security software in the future. With people making enough noise, it's quite possible they'll even reach a compromise with Tzuk and similar developers.

PatchGuard really isn't a security barrier, which is exactly what Tzuk said earlier. I see it being more about stability than anything else. Of course, stability also affects security (it can't be secure if it's not available to authorized parties, and it can't always be available if it is unstable).

Sure, you can do dll injections. Sure, Microsoft could do something about that. But if they don't feel like doing that, then I guess they don't, and I can't force them, even if I really wanted to. Maybe they don't want to break all the programs that do dll injection - maybe they've estimated that doing so would cause a bigger noise than breaking a few security software. MS is a business, they have to consider this kind of thing. On the other hand, if you run LUA, and don't happily execute untrusted code, I don't really see that it would be very likely for you to catch some dll-injecting malware. And then of course there's always stuff like SRP for helping prevent the untrusted code from running. Not a perfect solution, no, but life is all about less than perfect situations. In the end, I can safely say that dll injection isn't something that makes me lose my sleep. It doesn't prevent my systems from performing their productive tasks.

Hypocrite? No, I don't think so. It's their OS. Their priorities. If they put discouraging kernel patching before preventing dll injection, that's their right, and I don't see any hypocrisy in it.

Well, that was a nice example. But where does it leave us? If MS doesn't want to do anything about dll injection in fear of breaking legit software that does it or for other reasons, then they don't, and the problem remains. That in no way prevents them from doing something about kernel patching, or makes PatchGuard hypocritical. And as for the "alcoholists and drug abusers", it's not like you have to let them in, which may be one of Microsoft's reasons for not trying to make dll injection impossible. Your system isn't any public museum, unless you make it so. If untrusted code doesn't execute, then it doesn't inject dlls or fiddle with knobs, either. And there are ways to severely limit the chances of untrusted code executing, especially in a highly privileged context.

There isn't any helicopter here. You want concrete? Concrete is that most people don't run obscure security software, and still most people survive. Concrete is that many people will get infected. Concrete is that some people will be very much safe without obscure security software. Concrete is that 64-bit Windows has benefits, like ability to use much more RAM. And finally, it's very much real that there will not be some great security disaster if MS fails to provide the interfaces some developers want in 64-bit Windows. Doesn't get much more concrete than that. Keep things in perspective, is what I like to think. Some people here are acting like the sky is falling if some security software goes down. Guess what. The sky isn't falling. Frankly, I think those people who think security is over without security product X and that it's better to be able to run some security software than to get more RAM are the ones in the helicopter - out of touch with the world and the majority of computer users.

We can argue about random features all day long, and point out how nice it would be to be able to do X and Y. But it never hurts if someone at least takes a look at the actual reality outside security forums most people don't know about. Out there is a reality where almost no-one knows about the programs that are so very loved here. Out there are hundreds of millions of people who will not, in reality, suffer if those programs get weaker or disappear, because they don't even know about those programs. That is very concrete. We can cry all day long about how awful it is that programs we like get weaker or extinct. But while we're doing that, we should remember also that most people just don't know or care. Most users are greatly affected by the default configuration of Windows as it comes out of the box - witness XP SP2 for example. Any improvement to that configuration - like better stability, even just theoretically, or better memory management, or LUA by default - is good. Even improvements to hinder dll-injection attacks you mentioned. This is why PatchGuard serves a useful purpose. There's a lot to be done. I, for example, would like to see admin-by-default finally die, and not by some workaround like UAC, but really just die: LUA by default. That's one step that should be taken. After that, many more.

That is not to say that Microsoft could not or should not give some security software companies ways of doing what they want. But it is to say that instead of that, it would be much more important to improve Windows security out of the box - and sure, of course, you could try to do both. And it is also to say that, ultimately, it is Microsoft's operating system. We can complain about what they do, try to steer them in the direction we want, or we can move to greener pastures if we feel like it. It's not "philosophical." It's very real. And it is real that in this world, me and many other users are not worried about one security software or two going under. Other people may be worried, and that's their right. But surely I am not doing wrong if I state why some people aren't worried, and why no-one actually needs to be (well, except for the guys making the security software)?

So, there we agree.

Yeah, I also agree with Tzuk that Microsoft could have done a lot of things differently: changed default setting Y, created methods to do X without resorting to complex workarounds, etc. But I also understand that if they don't, then there is not much we can do except to try to make them change their minds. Meanwhile, I find it important for users to keep things in perspective, to stay in concrete reality, to use your choice of word. In reality, whether or not Microsoft provides ways for Tzuk and guys to do their thing like they want to, doesn't break the security of the world, and doesn't make doing the tasks we bought computers for impossible. In forums like this, that seems to be sometimes forgotten. It is literally as if people used computers only so they could run security software and then post about that software in forums. Hey, if someone does that, they can. But they shouldn't think that's how everyone else works as well. And most importantly they shouldn't expect that a huge software company like Microsoft would follow their whims rather than their own plans.

A business driven by only ethical reasons? Obviously not. Microsoft is in it to make money, just like everyone else. That's why, when they make changes, they make them so that they first consider their own plans, then the majority of their customers, and after that some smaller groups like AV vendors or fans of security software. Only logical.

But I don't see Microsoft making any attacks on the security industry. That's quite ridiculous, really. If anything, the security industry should get gratefully on their knees and thank Microsoft for making it possible for them to earn a living by selling security software. Try doing that in Unixland if you want a challenging environment! Microsoft has constantly recommended people use AVs, for example, and firewalls, and has never told people not to use security software. They even include features in their OS that warn people if they aren't running some AV! If they wanted to attack the security software industry, they could perform really crushing attacks even just by PR. But they don't, because they don't have any desire to attack the security industry. What PatchGuard is isn't an attack on the security industry - it's Microsoft trying to defend their kernel from stability issues caused by third party code, even from security software companies. What the free AV is isn't an attack - if they wanted to attack the industry, why would they jump into it? That's what the AV is - jumping into the AV industry, part of the security industry. Is it competition? Well, sure. But an attack? Nah. Not as I see it. But here I can smell that old paranoid MS is evil attitude coming through again. People can have that attitude if they want, I don't mind. But they should then understand that it would be wiser to not use stuff made by evil people.

And that, I think, is all I needed to say here, complete with my usual repetitive (lack of) style. Sorry to be a bore, but I've spoken my mind. Now, I shall leave you to continue the thread, and shall derail it no further. Sorry for the interruption.

 

ssj100 I like your summary.

And Windchild, I'm sorry to see that you're blowing me off again, but I'm getting used to it. This is a security forum, here of all places I would expect people to take it seriously when an OS deprives security software of the foundation to do its job. When you suggested LUA is the answer to everything security related, I showed you this is naive thinking. But instead of accepting, your response is: so a virus can terminate security software, no big deal.

This "no big deal" school of thought has been running throughout your posts from the very beginning. Security products get bypassed, no big deal. Microsoft takes action that ultimately hinders free competition, no big deal. (Nevermind the reasons; as the saying goes: the road to hell is paved with good intentions; not that I think the intentions here are good, but you seem to). Developers are forced to produce lower-quality products, no big deal. The potential increases in stability are only minor, no big deal.

If it's no big deal, then why are you trying so hard to take the opposing view? That would be the view that -- for whatever irrelevant reasons -- encourages the biggest player in the field to abuse its strength in order to weaken everyone else. Today it's kernel security software, tomorrow it's graphics editing software. And I can understand you not caring until it gets to graphics editing, I really do. But at least have the decency to not JUSTIFY it, until it gets to graphics editing, when you too would be against such tactics.

That's what I'm trying to do here, raise awareness to the ills of PatchGuard issue. It is understandable that not all people research the subject and they might not understand what PatchGuard means to developers. But I think I was able to get this message across.

And then you stopped by, to argue that the ends in this case justifies the means -- no matter how small that end is, no matter how cruel those means are. I think this is what ssj100 means when he says that your argument is philosophical.

 

All right then, let's go over it once more...

Yes, and I understand your point there. I think it's within your rights to try and get MS to make your job easier/possible. I think you, and the fans of your software, should try to affect that change. I think the best way to do that is not by calling MS anticompetitive or evil and such things, though. I'm sure your fans don't mind if you call MS anticompetitive. But it might not convince MS to agree with your position. I think a little bit more diplomacy might work better.

My point, on the other hand, was to say that there's no need to panic or fear disaster even if PatchGuard prevents stuff like Sandboxie from being as great as they used to be in 32-bit, and that PatchGuard actually has a justifiable good purpose even if the approach is harsh and ungentle, instead of being M$'s evil tool of destroying good guys. 64-bit with PatchGuard doesn't make you magically insecure, even if you can't run some security software. I tried to make these points, because some people seemed to me to be honestly worried about this, as if fearing for disaster for their security brought on by evil 64-bit Windows! I think these points of mine are much more a realistic argument than a philosophical one that is out of touch with reality, but hey, that's just my opinion.

Actually, I've constantly said that LUA is a good thing, but isn't perfect, and isn't an answer to all issues. And I said there may be other answers to those issues. Such an answer might be third party security software. And MS seems to be allowing third party security software in the future, as well. And nothing is set in stone yet about what that software can do - changes can happen. You yourself have stated that they have happened. So, there is hope.

As for what I said about malware terminating security software, now you're just outright lying there. I never said it's "no big deal" if a virus can terminate security software. I said that it's not a disaster or big deal if a malware can terminate only the control panel part of some AV, for example, as long as malware can't terminate the part that offers the protection. Do you want me to quote myself to prove that, or can we leave it at that? Your choice. Actually, no, I'll quote myself anyway:

What I think: Malware can terminate the control panel process of some security software? Not pretty, but no big deal - still, would be better if it couldn't terminate it, and I fully support making termination protection possible. Malware can terminate those processes of some security software that offer the actual protection, like an AV's scanner? Huge deal. But that wasn't the case here. In plain English: if you can terminate the important part of a security software, that is a big deal; if you can only terminate some control panel part but not the actual protection, that is not a big deal.

Maybe the "no big deal" school of thought is there because it really is no big deal. Security products get bypassed today, in 32-bit. Maybe some Security Software X doesn't, but then, only few people are using it. Microsoft takes action that hinders free competition, I don't see that. They took action that is within their rights to do, and may prevent some types of software being made for their OS, but it prevents it equally for all developers of those types of software. Developers are forced to produce lower quality? Well, many developers have been producing pretty awful quality already, so it's not like the change will be shockingly large for most users.

You may call this cynical, or something like that. I call it realistic. Yes, there are real problems. But no, they aren't so huge that we'll see any great disasters - so, no big deal. The world will roll along pretty much as usual, without any huge changes in security issues. That's what I mean by "no big deal." There's no disaster waiting to happen. Things will not be very different from how they are now. They will be a little different, but not very different. Most people will never notice. Most people will never suffer. Ergo, no big deal.

The above should already answer the question. I took the "opposing view", because it's realistic. Most people are not affected by the problems PatchGuard causes to some security software. Most people don't use that security software. Therefore, realistically, to those people, it is no big deal, and does not affect productivity. Further, Microsoft has the right to protect their kernel from third party code, even if they don't protect it very well or very nicely. And I stated that obvious thought out because it seemed to be less than obvious to some people. There is no matter of "decency". The justification follows automatically and logically from the fact that the changes from PatchGuard don't cause problems for the vast majority, while PatchGuard provides a (small) benefit that can be logically proved.

But wait, I'll make a promise. Once Microsoft starts trying to break all graphics editing software, I will buy Sandboxie just to support you (assuming of course that you'd even sell it to a doofus like me ). But that might take a while. Because no matter what folks think, MS isn't doing all of this to mess with people.

1. Didn't say anyone was denying it, mate. But some people seem to be forgetting it. How? By a) acting like Microsoft needs to cater to the needs of a minority, instead of doing what Microsoft pleases and thinks is better for the majority of their customers, and by b) implying that Microsoft is "anticompetitive" and "underhanded" and "evil" for doing so. It's not "underhanded" or "evil". It's "business."

2. Didn't say anyone was denying that, either. In a perfect world, we'd have an endless library of perfect security software to choose from, without evil M$ limiting our freedom of choice. Except that we wouldn't. Because in a perfect world there would be no security software at all, because it wouldn't be needed or even useful.

3. I don't think there is any "perhaps" to that. Windows is getting better, at least in my experience, and that's really the only experience I can concentrate on when speaking about my own personal opinion.

4. People may not say third party software is a necessity, but then they act like it is. Well, actually, they do say stuff like "That is why we needed third party security software in the first place", for example, like in Kees' previous post. Sounds pretty much like saying it's a necessity to my ears. And then to even more obvious stuff: In spite of "everything is relative", water is needed for humans to survive. It is a necessity, unless you're not human. It's also quite easy to test what happens if you stop "using" water - any human can test this and always get the same result, death. On the other hand, random third party security software is not necessary for all humans to avoid getting their computer systems infected. That is also easy to test. I do that every day, and survive without getting infected without random security software. Some people may get different results from mine, which then proves that instead of being "necessary" the software is merely "useful for some folks." It may be obvious, but still some people act like it isn't, and that's reason enough to remind them about it.

6. I think what Tzuk and others want to do is an entirely valid thing to want to do. I think a compromise between MS and the desires of small security software companies is possible. And I think that compromise is more likely to happen if people take a more constructive approach, instead of tired old "M$ is evil and anticompetitive." Understanding why MS does something helps there. I know I said that friendly and nice doesn't always cut it in this world, but in some situations it's a good idea to be nice. For example, when you're trying to get something you want from someone who is a lot stronger than you. Like, say, a bunch of guys trying to get what they want from Microsoft. So, I really don't think the small developers are somehow bad guys here, if someone got that idea from my posts. But I don't think MS is either. I think both are just trying to do what they think is best for their own software, and may have different views on it.

8. I am constantly amazed by how many people find LUA and SRP to be, in their opinion, either "new, I didn't know this stuff existed!", "blah, I don't care, I just wanna be admin, yeaaah!" or "they suck because I don't really understand anything about security except running a lot of AVs". If you don't get amazed, count yourself lucky!

9. Perhaps? If productivity isn't more important than anything else, then what is? You might say that one of the most obvious reasons security is important is because insecurity destroys productivity. For example, if malware is killing all your files all the time, you lose valuable work. If a keylogger is stealing your bank account passwords and your money is stolen, you can't use the money any more for productive, useful purposes like buying yourself some food. Most people really do use computers so that they can do things with them, using them as tools for useful, productive purposes. Most people don't use computers to do things to them, like play with security software. But, if someone can tell me what is more important than productivity, I'm all ears! If they can show that this thing is more important than productivity to most people, not just a small minority, I'll be quite impressed. And yes "having fun" is a productive purpose - it's useful for relaxation for example.

11. Well, the majority may not matter the most to you. But it matters the most to a lot of other people. Including me.

12. Never said that. In fact I said that many will get infected. I'll say that many would get infected even if they had all the security software in the world on their systems - some people just don't learn.

13. I do. When someone says stuff like "Down with 64-bit" or "I won't use 64-bit because some security software doesn't work on it" that is an overreaction, in my opinion.

15. I have seen a lot of people who seem to be like that out in the net.

16. But then again, just because I'm paranoid doesn't mean they're not out to get me. But seriously, some people are too paranoid. Paranoid to the extent that I'm worried about their health. I guess we've all seen some of those threads in various forums. Conspiracies everywhere..

17. I don't think it beats all. But if you don't trust Microsoft, and if you think they're evil, then using Linux sure beats using the OS of someone you think is evil. And Linux is good stuff. I, for one, like it. Actually, I have a recommendation. Next time, when the reader has too much time in their hands and thinks about playing with some new security software, why don't they try Linux. Might learn something.

18. Didn't say that. My point about the issue not being philosophical is that there's a real world out there where almost no-one cares about Security Software X (say, a thousand guys care, a million guys don't). A real world where people are mostly "protected" by the default config from Microsoft, and maybe some AV they got with the computer or downloaded because some geeky kid next door recommended it. Because of the way this real world works, it's much more important to concentrate on trying to make the default config better and to educate the users, than it is to concentrate on brilliant but mostly unknown security software. And because of the real world not using Security Software X for protection, the real world will not suffer if Security Software X doesn't work as great as it used to, or disappears.

But really, I think that's enough, before I get the banhammer thrown at me.

 

Really you are missing the factual point

It is up to you, there is nothing to explain about it, o see http://en.wikipedia.org/wiki/Windows_API , read it at least until you come accros |"A large emphasis has been put by Microsoft on maintaining software backwards compatibility. To achieve this, Microsoft sometimes even went as far as supporting software that was using the API in an undocumented or even (programmatically) illegal way."

As a rule of thumb, I try to understand before disagreeing, but love and peace man when you are disagreeing without understanding where you are opposed to.

I only mentioned undocumented use of API's is where MS came from, Now MS is actually working on conversion and structuring in stead of achieveing backward compatibility of wrong code, In this light UAC/Patchguard are improvements. Read Ronjor's quote please

That was something Tzuk was hinting. From a stability point of view an API is a standard (Application Programming Interface), when they are so rigid on that why not tackle a far more destabilizing technique of injection. or provide a compleet set of API's. But you did not catch what Tzuk said, neither my explanation.

You are right about this, example was on half witted priorities though, where MS has to allow bad coding (even in a perfectly configuread LIA/SRP environment) to do side by side injections.

Ahh come on, I said everyone is welcome, what I don't like is that you just managed to change the Thread Topic from x64 to Windchild. Even so, you could not resist posting again see post nr 230

Cheers Kees

 

You are great , had not though about that, define where we are talking about

 

Ah, so you're talking about backwards compatibility and APIs. If you had just said that, instead of saying cryptic stuff like "Microsoft history on streamlining progrom to program communication and limiting the points of entry for possible malware comes from undocumented 'features' in a final OS-releases" I would have understood it. Because really, I still don't understand how Microsoft's "history of limiting the points of entry for possible malware" somehow comes from undocumented 'features'. And I'm sure I'm not the only one who can't make heads or tails of that sentence. Sorry, but English isn't my native language.

Yes, I know Microsoft - understandably, since they're trying to please a lot of people - puts great emphasis on backwards compatibility, even at the cost of accepting stuff they probably shouldn't. Ironically, isn't this thread about exactly that: Microsoft trying to stop people from doing things they shouldn't, using PatchGuard to prevent certain kernel patching? In spite of backwards compatibility, however, NT has a solid security model, and that model is not based on "undocumented features" in any way that I can see. Limiting the points of entry for malware? I don't understand how that is based on some undocumented features. More like undocumented features have caused more points of entry for malware, instead of undocumented features being the tool used to limit entry points.

Yes, backwards compatibility does cause problems. But what can you do? If you remove it, you will face a storm of protest larger than anything that fans of Sandboxie could hope to create because of PatchGuard. Look at how people protest UAC, or PatchGuard! And even after you've removed it, you'll still have problems. Malware works perfectly well without the OS having backwards compatibility with ancient stuff. Backwards compatibility at the cost of security is one problem, but solving that wouldn't lead to people no longer finding third party security software useful. There would still be vulnerabilities elsewhere. But yes, I certainly agree that removing the vulnerability caused by backwards compatibility would be good!

Yeah, sorry for not understanding. I've never claimed to be unusually smart, but have often admitted being somewhat dense.

But yes, I think MS should just wipe off a lot of the backwards compatibility in order to increase security and clean up the OS code. That would be good for security. But a lot of people might be very unhappy, for some time. That then leads to MS taking only small steps, like UAC or PatchGuard. And even those small steps raise storms of protest.

I think I did catch it. I just have a different point of view. I understand that Tzuk or you might consider it illogical to tackle kernel patching while doing nothing to dll injection. That's because you're looking at the technology, and not what the users will be doing and experiencing, I think. Why not tackle the very real problem of dll injection? Because that could hurt backwards compatibility, and that would raise a storm of protest, like has been demonstrated many times... and since there are some ways to mitigate the injection issue, it isn't as large a problem as it could be. MS is a business, and they will consider something like that when they make decisions. It's a lot easier for them to make a change that breaks some unknown security software than make a change that breaks loads of software used by millions of people everywhere. Developers like Tzuk, I think, should easily understand where MS is coming from in this case. They don't need to agree with MS, of course not. But I would think they could understand how MS makes such decisions, and how someone else, like me, might also understand it. Like I said, realism. Few will notice if PatchGuard breaks some obscure security software, and MS will get few complaints. Millions will notice if DoctorInjector breaks loads of legit software that does ugly dll injection, and MS will drown in complaints. And as to the issue of MS not providing the APIs certain developers want, again, they're a business. They probably don't feel like providing any APIs that they don't think they need to provide. It's all work. Sure, they'll make AVs work. Sure, firewalls. But some much more rare security software that does more unusual things? Well, maybe they won't spend as much effort on providing the kind of API developers of those programs would want. I'm not saying it's the way things should be. I'm saying that it's quite understandable. And that's where folks come in to say to MS that, no, we really do need you to give us more ways to do things so we can make good security software. If the criticism is wide enough and constructive enough, it has a good chance of going through and making MS give you what you want.

I understand that from the security perspective MS makes a suboptimal choice. But from a business perspective, it may not be so suboptimal. And they are a business. That's what this is about. That's why I keep saying they're a business. If you understand that, and really understand it, a lot of these questions answer themselves.

This is another case of the different points of view: I don't think the priorities are half-witted. MS fears users will complain if they kill some backwards compatibility, so they place keeping compatibility as a priority. Is it half-witted? Unlikely, they've probably more than aware of how users would react and have carefully considered their decisions. Do I like it? No, I don't. I wish for security to be given a higher priority than backwards compatibility. But I understand why MS works in that way. They gained large market share by being easy to use.

Yes, but I'm even making myself tired with my ramblings, and even I can tell when others get tired, as well.

 

OK, let's agree we disagree

 

But that's the fun part - I don't think we really profoundly disagree. I think we all mostly want better security in Windows. I certainly want it. You seem to want it. The disagreement only happens when we discuss how to get there. Really, just because I understand something about why a big business like Microsoft does something doesn't mean I have to like it, or do. I just understand it, and accept it as their right - businesses try to make money, and that isn't wrong. In the real world, we just have to live with that.

I think I shall end my ramblings by saying the following:

Tzuk, Ilya, other developers - I hope the best for you. Really, I do. I hope that you can convince MS to give you the interfaces you want - but I also hope PatchGuard isn't killed. I certainly think it's better if developers like you have access to well documented APIs instead of having to use complicated, unstable and unsupported hacks to do something useful that they want to do, like some sandboxing function. I think there are many "diplomatic tricks" that you might try, if you feel like it. Why not even have your users help you? You could start a petition and have all your users sign it, and give that to MS, asking them to give you better, wider APIs to do what you want to do so you can protect people running 64-bit Windows. I'd sign it. Maybe you've even done something like that. But I think that almost always more could be done - if one has time.

And to other users, like me, I would like to say that you don't really need to worry about 64-bit. You can still be safe in that environment, and if you're lucky, MS will make your fave security software possible in that environment, too. So, no disaster looming. And it will take a long while before you "have to" move to 64-bit, so there's lots and lots of time for things to happen. Enjoy computing.

 

One developer from the kernel team told me the time to add interfaces is about 3-5 years if chief manager will make a decision to implement it. And it's very hard if you are not Adobe, Symantec,...

 

maybe it wuld be easier to get in contact with Adobe/Symantec etc. to do it then

 

Big corporation- big ~Snip~. Always.

 

I have no idea. I even have no idea if MS guys will apply anything. I'm not a Symantec, remember?

 

Yeah, same here, more or less. I was asked to bring my issue up again for consideration in a few years.

Lying? I'm not lying. You said it's "no big deal" if a virus can terminate components of your anti-virus. You didn't care to consider that many people might actually find this very alarming behavior, and I didn't care to quote all your many qualifications about whether just control panel or the core component is stopped.

You can't logically prove a speculation, and it also won't cause problems for the vast majority if Microsoft blocked any non-Microsoft graphics editing software.

To put things in context, your response here is to my question, why do you feel so strongly about taking Microsoft's side if it's all "no big deal" to you. Feeling a need to protect justice? More like feeling a need to protect injustice, it seems to me, and that is why I said it is not decent.

You said earlier many of the BSODs you experienced were related to security software. Did you bother to research the cause of the conflict, before subscribing to the position that PatchGuard will cure this? Have you considered the possibility these security software might conflict in ways that do not involve undocumented interfaces at all? What if only half of those crashes were related to undocumented interfaces, does that still justify PatchGuard?

Bottom line: A powerful company with a history of strongarming its competition, and your whole reasoning to support their approach hinges on speculation that PatchGuard will make things better.

Read about DKOM rootkits to see that rootkits do not need to patch the kernel to hide their processes. PatchGuard does not protect system data areas and a rootkit can simply "delete" the information associated with its processes. It will still execute, just won't show up in Task Manager.

Read about file system filer drivers to see what rootkits do not need to patch the kernel to hide their files. They can ask to install a "fake" filesystem on top of an existing one, and return "not found" error codes for any attempts to access their files.

Besides, rootkits can afford to disable PatchGuard. It's naive to think they won't. Only good guys have to play by the rules, and that makes the part about "greatest risk" in the "Introduction to Kernel Patch Protection" fairly nonsensical.