64-bit systems and anti-malware software

I have been trying to keep up with the flurry of responses in this thread, but I failed; information overload!

Pls forgive if the following question was answered:

1. Security software developers dislike PatchGuard because it doesn't allow them to jump into bed with the kernel.
2. By not being able to become intimate with the kernel, they cannot give you the "best of the best" protection to protect you from malware authors.
3. Here is where become confused: Malware authors are software developers!!

If the good guys can't in, how can the bad guys get in?

 

Malware authors have the same access to MSDN that "good" software developers do.
Ironically, this the same rationale used to explain the reason why Wilders restricts discussions about how to create malware; the reasoning?
It will make it more difficult for the script kiddies.

I am still missing the point of why Microsoft should not have as much exclusivity as possible regarding the kernel.

 

What it all concludes to IMO:

1. PatchGuard is intended to increase stability, which is a good switch since MicroSoft used to provide backward compatibility of undocumented/illegal API usage in the past.

2. PatchGuard in itself is not a bad thing, WHEN microsoft would have given a 'complete' featured interface set, so security programs could do their work. Currently both Ilya and Tzuk have asked for additions, which are scheduled for Win9 problably (5 years from now).

3. The release calendar / priorities taken by Microsoft is questioned by Tzuk/Ilya since it focusses on API hooks, while it still leaves wide open the much more destabilizing technique of injecting code, which is under LUA allowed by objects of the same rights level (so called side by side intrusion), also issue mentioned at 2 adds up to to questionable release calendar of kernel protection improvements.

4. Multi security angle applications like PrevX (heuristics/behavior analysis, in the cloud blacklist and community warning/protection) have currently enough means to implement strong protection which would not harm thebrand value of their x32 peer.

5. One man band developers with a product focussing on implementing one HIPS approach in an excellent way (have a so called champion in its class ambition) refuse to release x64 products not having the same protection strength as their x32 peers.

6. Some of the complaints of larger security developers is that a third party is needed to rescue teh OS when it fails, I think it is a clear strategy of Microsoft to limit Kernel patching for any third party

7. Signed drivers are no real solution, because every software has exploits which could be used by malware writers, or even worse two companies could work together, one acquiring a signed driver and leaving an undicumented hole in it, the other exploiting it.

8. This was a great thread to read, thx PrevHelp, Tzuk and Ilya and SSJ for starting it.

 

Now, about the issue of adding interfaces taking 3 to 5 years of time... Sounds like a long time - but, it will take a long time, I think, before 64-bit systems are more common than 32-bit systems. So, it's entirely possible for MS to make such changes before 64-bit takes over completely and most people practically stop running 32-bit. Getting such changes made is obviously hard for smaller developers who aren't some bigname, bigshot company like Adobe. Perhaps joining forces would somewhat help. Meaning, the smaller companies could work together on this, and also try to get their users to help convince MS about this. I'm certainly not saying it's guaranteed to work, but I would think the chances are much better than zero. I can understand that you guys are upset. If I was you, I would probably also be upset. But I'm not sure that starting the anticompetitive, evil and so on chants will help in this case. MS has heard that so many times before, I don't think they care anymore unless they get slapped with a really horrifyingly enormous legal sanction that will cost them so much money even they start caring. So, more diplomacy might help better.

Well, I'll not argue that line further. But let me say this. I think those "many qualifications" you didn't care to quote are pretty important in such a discussion. I think there is a very real difference of meaning between "terminating security software", "terminating the core part of a security software that provides the protection, like an AV's scanner" and "terminating only a control panel part of a security software, while being unable to terminate the parts that offer the actual protection." If other people don't see a difference, then I guess I can't help it. But in many previous discussions, it has often been stated by various people, that just because a malware can terminate, say, a firewall's GUI, isn't that big a deal as long as the actual firewall service stays up and running and blocks the malware from connecting out. In this way, there is a real difference between these situations to real people. Other than just me, of course.

And naturally I did consider that many people would find their AV control panel dying alarming. I have seen people get all "alarmed" about such things. But just because I consider that doesn't mean I have to think it's a big deal. Yes, it's a problem. But not the kind I would call a big deal. A big deal would be the whole software going down, including the main scanner part, which would mean the entire AV dies and no longer does anything to protect the system. But then, as far as I know, MS has provided ways for security software devs to protect their products from termination. Sounds good to me!

But it will most certainly cause problems for an enormous number of users - and just a tiny little bit more enormous than just blocking a few very special security software products. Therefore, MS is pretty unlikely to do something like that.

I feel the need to protect a realistic view of things. While "Security Software X not working" may be a "no big deal" to me, "realism" on the other hand is a very big deal to me. Some people are honestly concerned whether they can be secure in 64-bit, and whether they can even move to 64-bit because of some security software not working or not being as great as before - and they think like this in spite of the productivity advantages of 64-bit such as taking advantage of more RAM. In my opinion, it is realistic to say that there's no reason to get all worried about stuff like that. In my first post in this thread I said I, for one, have no reason to care or worry about that. Because, I know for a fact that in 64-bit Windows in the real world, you can still run a secure system, and you don't have to be afraid that you will get inevitably owned without some Security Software X that you had in 32-bit. In the real world, you can happily move to 64-bit, stay safe, and take advantage of new benefits like having a boatload more RAM. Further, I think it's realistic that Microsoft has a right to decide what they do with their own software, and I think it's realistic that they might want to take steps to discourage kernel patching. You don't have to agree. You can even say that thinking like I do is indecent. I can take that. But it's not going to change my mind.

Naturally I have not researched each and every BSOD, especially on systems that weren't in my control. But in almost all of those cases there was only one security software - the AV - installed on the system, and the reasons for the crashes were rather likely to be either bugs in the AV drivers or those issues related to using undocumented and unsupported hacks to patch the kernel. Even if only 0.1 % of all those hundreds of crashes were because of kernel patching hacks that PatchGuard now discourages, I feel that PatchGuard is very much justified. Even as merely an idea, PatchGuard is already justified: it has a reasonable, good goal, and causes no real harm to about 99,9 % of all computer users. In my opinion, of course. The reason why I mentioned the crashes caused by security software wasn't that I believe such crashes will all go away with PatchGuard. The reason was to show that in my experience, security software does have a lot of issues and does cause a lot of system stability issues in the real world. So, with PatchGuard, Microsoft isn't trying to solve imaginary issues or chasing wild geese. When Microsoft says "kernel patching causes stability issues", that's not a lie or an excuse so that they can justify PatchGuard which really has no intention beyond just being evil to small security software companies.

My reasoning to support them hinges on realism. PatchGuard has a decent goal, and harms few people. It's Microsoft's OS, and their design choice. I find it realistic to support that. Some might disagree. Life is like that. I don't think we've ever agree about this, so I figure it's agree to disagree on my part.

 

Well, if that's the only question, the answer is very obvious:

- Windows 7 in 64-bit is more secure than Windows 7 in 32-bit. 64-bit has security enhancements, such as driver signing, that really do help. So, the OS is more secure in 64-bit. Assuming, of course, that MS didn't fantastically mess something up with the 64-bit that they didn't mess up in 32-bit, leading to a boatload of 64-bit only vulnerabilities. Unlikely.

- On the other hand: If you rely absolutely and only on the products that may get weakened or made impossible by PatchGuard for your security, then yes, you will be less secure in 64-bit Windows, if you stubbornly refuse to update your security policy. Note that the operating system itself is not any less secure than before - it's actually more secure than before. It's just that you no longer can run some third party security software on it, and if you rely on that, then obviously there's a security impact.

- If you don't rely on the products that may get weakened or made impossible by PatchGuard for your security, then no, you won't be any less secure in 64-bit than you were in 32-bit Windows. Actually, you'll be more secure, since the OS is safer (driver signing, and all, do help).

But really, this is only common sense and logic.

 

Yes, correctly.

 

To an enlightened Windchild it might be common, but for the majority of us mortals it is a great mystery.

 

Well, no. I'm saying quite plainly that they are more secure, in real life, in practice. In 64-bit Windows systems where driver signing and such work, this can be quite clearly experienced, as well.

But of course, there can be vulnerabilities we don't know about. Of course, there are bound to be some. But there can be even unusually serious vulnerabilities, too, in the very unlikely case that MS somehow royally messed up their 64-bit Windows 7. Most likely they didn't, but it's a world of uncertainty out there. But then, there are unknown vulnerabilities in practically all software (except perhaps the Hello World! kind) and how bad they are we will not know before they get discovered. This goes not only for Microsoft's operating systems, but also for all other software. Like, say, security software from Symantec or some other company. This is one of those philosophical style arguments, I might say.

In real life, 64-bit Windows is more secure than 32-bit Windows. It's only that some users of 64-bit might end up being less secure, if they fail to replace any security software of theirs that no longer works with some solution that does, or fail to find such a solution. But for the vast majority of users, 64-bit Windows will increase their security. The increase won't be gigantic, but it's there.

Oh come on. I'm probably one of the least enlightened people on earth!

But where's the mystery? If we're talking about the OS - and that means only the OS, not some security software that is not part of the OS - then it's obvious that 64-bit Windows has improved security over 32-bit Windows. This isn't that complicated. As long as we can understand that the security of an OS does not depend on third party products. That's how this whole argument started on my part. The police - Windows - is better in 64-bit than before. The security guards might get a little worse. The OS is more secure, some other stuff might not be.

 

Yeah. Or to put it less harshly: if the user just really likes some security software that doesn't work as well in 64-bit, and can't find replacements for them, then their security may end up being lower than it was in 32-bit. But the operating system itself is definitely more secure than in 32-bit. I think that's a pretty good thing, since most users do not have sophisticated third party security software.

 

Why do you argue in circles, Windchild? To me it looks like all your arguments in favor of PatchGuard fell apart (if perhaps only partially in your mind) so you revert back to talking generally about greater security of 64-bit Windows and the benefits of more RAM. That was square one and I thought we moved on from that.

* * *

To reiterate points that seem to get lost again and again:

64-bit Windows is more secure only thanks to mandatory driver signing, and I don't think anyone is contending this fact. Not me, at least. Mandatory driver signing does raise a barrier to rootkit malware, they now have to be stamped by an unbiased certificate authority (like VeriSign) as having come from a trusted source.

But rootkit malware might get to kernel mode somehow, perhaps by fooling the certificate authority, or by exploiting some vulnerability in other kernel mode software. Then PatchGuard is not an issue at all for the, as both rootkit and PatchGuard operate on the same level, which is kernel-level. PatchGuard is not magic, it's just a piece of kernel mode code that runs every 10 minutes or so and checks the rest of the kernel. It can be disabled and there are ready-made hooking toolkits that already do this.

However, good guys cannot afford disable PatchGuard in order to do the things we were used to do on 32-bit Windows. Because such an action risks the validity of the driver certificate, and might have other legal ramifications.

 

Oh boy. I guess we're not finished yet.

I do not think I argue in circles or that my arguments fell in any way apart. I don't think that has been shown in any way, and we could sit here and argue about it all year. I "reverted" to talking about greater security and more RAM because You asked me:

And here I thought it would be polite to answer why I feel so "strongly" about it, since a respectable man asked me politely. Perhaps I was wrong! I feel so strongly because it's not "all" a "no big deal" to me: the problems PatchGuard causes to a small number of people are a "no big deal" to me, but having a lot of more RAM is a "very big deal" to a large group of people including me and MS finally trying to do something about kernel hacks is a big deal to me. I feel so strongly because I think it's realistic that Joe User doesn't need to worry about migrating to 64-bit and fear that 64-bit will be destroying his security and getting him magically owned, and because I think 64-bit Windows is an improvement and to top all that off because I think PatchGuard has a good purpose that I support. That's why I feel strongly about it. And if you ask me to explain why I feel strongly, surprisingly enough, I will then explain why and describe the general benefits of 64-bit Windows and that PatchGuard doesn't hurt most users in any real way that they will ever notice but instead has a good purpose that I support. So then, why should I not support PatchGuard, even if a very small minority hate it? I think that is realistic, practical thinking - sure, selfish, but then what isn't. It's not like you, Tzuk, are thinking about what's best for Microsoft or Windchild when you tell us what MS should do to make your job easier and possible - you're thinking about yourself and your customers, as you should. If all this isn't alright with you, then I guess I'm just sorry my thinking doesn't please you.

This is how it's gone so far. I say that generally folks don't need to worry about 64-bit, you can still be secure on it, so enjoy computers. I say that PatchGuard has a good goal, and will really improve stability, even if you don't notice that on your systems and even if it is nowhere near perfect - it will really prevent legit devs from doing certain kernel patching hacks that they regularly messed up with and crashed systems before. I say that, and then you point out PatchGuard doesn't solve all issues and what about dll injection for example and what about the fact that devs will just use different ways to mess things up and cause crashes by accident and most evilly of all PatchGuard prevents obscure security software from working as well as they did before. I say that PatchGuard ain't perfect just as I said before, but I support its purpose. You ask me why I feel so strongly about this issue if some AV control panel dying or some Security Software X not working in 64-bit are all a no big deal to me. I explain why - because of the reasons I stated in my very first post: users don't have to worry about PatchGuard making their security on 64-bit a disaster, but still some users seem to be worrying, and I would like to bring some peace of mind to them and have them more worried about productivity than some obscure security software - have them take a realistic point of view on computing instead of getting trapped in the world where Security Software X is the most important thing in computing and things like having more RAM to do useful things with the system are not as important. And after that, you tell me I'm arguing in circles. Oh dear, oh dear.

I knew I shouldn't have said anything at all in this thread, having seen what discussions like this have previously caused. One dev insulting another, almost everyone ignoring the big picture and the only some hundreds of millions of users who won't care about losing some program they never heard of, people calling my arguments philosophical and then talking about "hindering innovation in kernel space", getting called a blind follower of Microsoft after I have flamed Microsoft for years for not making LUA the default and messing up ActiveX, and so on. This would be funny, if it wasn't so bloody sad. Listen, I'm not a software developer. But you are. Maybe, instead of arguing with me, your time would be better spent trying to convince Microsoft to let you do what you want. Because, even if you pull some magic trick and make me completely agree with you about PatchGuard and religion and war and peace, it still won't make your problems with PatchGuard disappear, or convince the rest of the world they need to care about it.

To summarize my argument about PatchGuard:
1. MS has the right to implement it. It's their OS. I accept this. I support that right.
2. PatchGuard has a good purpose. Its idea is to increase stability and security by preventing and discouraging kernel patching, which has caused problems in the past. It's not a complete panacea type solution, and not even MS has claimed that. It does have real effect, however: when it makes some type of patching impossible for legit developers, the software of those legit developers won't ever again cause stability issues by patching something PatchGuard prevents them from patching. There may be other stability issues, yes. Who knows, maybe developers will be angry and will start intentionally coding serious bugs in their software just to show that PatchGuard didn't make crash issues rarer but in fact more common! But still giving developers less methods to mess the kernel up is an improvement. To me, at least. To you, it can be the worst thing in human history for all I care - it's not in my power. But since the purpose is good, I support it.
3. Most users - a vast number of people - will never suffer from not being able to run some security software because of PatchGuard, because they don't even know the security software exists, and if they did, wouldn't want to use it anyway, being too busy in Facebook. This means the real world impact of PatchGuard is not negative to a vast majority of users. Like me, and everyone I personally know face-to-face and almost the entire population of the continent I live on. Therefore, I have no problem with it.
4. The intended good effects of PatchGuard, no matter how small, affect everyone, and the effect is not negative. Even the very existence of PatchGuard discourages kernel patching by legit software, and that already reduces the use of certain hacks that can cause stability issues. It isn't bad, ergo I do not oppose it.
5. The security of the OS depends on the OS, not on other software. Where other software comes in is the security of a computer system, running some OS and some software on the OS, operated by some human. Most humans rely on the default configuration of the OS and maybe some AV for their security. So, an increase in the security and stability of the default config is a good thing to most users - you know, making the police everyone has around better, instead of making the third party security guards many people don't have better. I support that.
6. If devs want more documented interfaces from MS to do their thing, I'm fine with that, and support that. Why not? Using documented interfaces is surely better than having to resort to hacks.
7. Considering all this, I know that users of 32-bit can happily migrate to 64-bit and enjoy more RAM, without having to worry about "oh no, I can't secure my system without Security Software X and will surely get owned now!" Some users may indeed worry, and can. But I'm saying they don't need to. Calm down, enjoy computing, the sky isn't falling, and PatchGuard doesn't make us all insecure all of a sudden, even if some people would like to think so. I feel strongly about being a realist!

I don't really see that many circles, or fallings-apart. But others are free to see things differently. The great thing about life: diversity of opinions and points of view.

Yes, I think driver signing is a good thing and does improve security. Sounds good to me.

I'm sure no-one here thinks PatchGuard is magic. Even if rootkit malware "might" get to kernel mode "somehow", which I'm sure is somehow possible since nothing is perfect, that is still a real improvement over the current 32-bit situation where the malware can just freely walk right in there completely unchecked easy as pie, instead of having to "might" and "somehow" get to kernel mode. As for PatchGuard? It's not a security barrier, like you said. It just discourages kernel patching hacks that have caused stability issues and security issues in the past. It doesn't make rootkits impossible or anything like that, and I for one never claimed it does. Even if malware gets to kernel mode, and then blows up PatchGuard or changes its name to PantsGuard for all I care, the existence of PatchGuard in Windows makes legit developers avoid the types of kernel patching that PatchGuard prevents, and at least devs won't make mistakes in how they implement that kernel patching, since they won't be implementing that kind of kernel patching at all. Hence, improvements in one place. In some other place, yes, devs can make more mistakes than before if they feel like it. But then, they could do that already right now. PatchGuard is not needed for them to be able to mess up things in other ways.

Yes, I know, and understand. But I don't really think that means anything at all to my arguments about PatchGuard.

Of the replacements, I wouldn't know - it doesn't really concern me, as I don't use that kind of software these days. But unfortunately, now we are inevitably getting in the philosophical argument that you folks implied you wanted to avoid.

In theory and in practice, 64-bit Windows is more secure than 32-bit Windows. That is clear. To come true, the "less secure in 64-bit" scenario requires a case where a user has been running some rather special security software in 32-bit Windows, then migrates to 64-bit Windows, and can't find any ways to achieve similarly effective protection in 64-bit Windows. In such a case, the security of the systems admin'd by that user, may really be lower than it was in 32-bit Windows. But even that does not mean that the 64-bit OS itself is less secure than a 32-bit OS - it's important to understand that. We must understand the operating system and the actions of some user are different things. This simply means that with 32-bit Windows the user was able to use some security software for their security that they no longer can in 64-bit, and if they can't find any replacements to achieve same level of security, then their security may indeed suffer. It's clearly not a problem in the security level of the OS - that is higher than before. The problem exists in the user's security policy and what software they use to enforce it. For example, if one really wants to run the a browser in a limited environment where it can't do anything much to the real system, there is always VMware for example. Not what I would do, though.

 

No and no. I'm saying that in 32-bit, there may be some software that does things in a way that you really like, but that software may not work in 64-bit, and if you can't accept other options that may be different or more expensive or more resource-hungry, then there may be trouble for your security setup. And, I'm saying that it's possible and even easy to stay clean in 64-bit Windows. Let's take a user who bases his security on Sandboxie alone. There is no 64-bit Sandboxie, so the user can't use it in 64-bit Windows. Now there's a problem. If the user will not accept any other option, varying from going just cheap LUA+SRP to prevent most malware attacks from being successful to going expensive and running VMware or some other virtual machine to do untrusted browsing "outside" the real system, then their security does suffer. But that's not a problem in the operating system, it's a problem with the user's security policy. That's how it is.

As for the last question, lack of some security software does not mean the 64-bit OS is less secure. The OS itself is not. The OS does not include third party security software, and lack of third party software for an OS does not affect the security of the OS. This is, as said, a question of "semantics" or philosophy - or if you prefer, just understanding the terminology. The security of the OS is determined by the code of the OS. Features and mistakes in the OS code determine how good the security is: driver signing is good and an advantage, some accidental remote code execution vulnerability is bad and a disadvantage, and the sum of all this stuff is how secure the OS is compared to earlier versions. The security of some systems - complete with hardware, OS, third party software and users - may be lower in 64-bit than in 32-bit if the admin doesn't find any acceptable replacement for their security software. That's a downside, surely, but still the OS itself remains more secure. Or to quote Tzuk, 64-bit is more secure (than 32-bit) due to driver signing, for example.

 

Instead of "higher levels of security", I think "compatibility with third party security software" would be the better term in this case. LUA/SRP don't count there, but then, LUA and SRP do work in 64-bit like in 32-bit. Of course, they aren't enough for everyone. And that is where the third party stuff come in, and the very real problems start, as others have said.

With 64-bit Windows, yes, I certainly admit that some security software just doesn't work as before - like Sandboxie - and may not have similar alternatives. So, yes, surely, 64-bit Windows puts some new limits to what security software can do and how and those make some security software less powerful than before. That is the way it is, unless MS makes changes in the future. This is of course what Tzuk and others have been saying, and I haven't missed that. Even I am not that dense yet. Yes, this is a downside. My point from the start was that for most people this is a non-issue, since they don't use such software anyway, and for those who use such software, they typically have more than enough knowledge to find alternative solutions that still offer a very high level of security. So that point was in essence "some large benefits to all, some disadvantages to very few, so it sounds good to me."

And yes, I also think that this would logically make 64-bit sound negative to someone who puts a great value on certain security software that no longer work in 64-bit. That's why I recommended finding those alternative solutions, or just sticking with 32-bit as long as practical. Or if you're like me or most users, just jumping to 64-bit and not worrying very much. One can be insecure or secure in 64-bit, and that really depends mostly on the users themselves. The OS itself is more secure than 32-bit versions, but some security software doesn't work. We just have to deal with that, or try to coerce MS to making the security software work again.

But really, if we want to show what 64-bit could do in terms of security and want something as powerful as the Sandboxie we've been using so far, how about the following:
- run 64-bit Windows
- run VMware on top of it
- run a 32-bit Win 7 in VMware, and run Sandboxie inside the Win 7 32-bit to do your browsing.
- profit... I mean, security, that is pretty likely to be actually higher even than in just running a real Windows 7 system 32-bit with Sandboxie. With much higher cost and resource impact, though, so it's not all bunnies and roses...

 

Once again, a long and tedious essay by Windchild. Since I believe I've been able to deconstruct most of your arguments regarding the benefits of PatchGuard, it looks like you'd rather try to wear me down by being tedious and circular, than admit that I may have a point.

De-constructing your stability argument: Your percentage for BSODs that PatchGuard will avoid was initially 50%. Getting this number down to 0.1% is what I call largely de-constructing the argument. Same with security, initially you said PatchGuard is good because Microsoft is trying to make systems more secure, more recently you began to accept that it won't hinder malicious rootkits.

But in your mind:

Feels like we've been doing it already. In any case what we're talking about is PatchGuard. Are you mentally unable to separate the issue of the driver signing issue and the benefits of the additional RAM -- both good points -- from the problems PatchGuard creates or the way it is promoted? To me it seems that you want to keep bringing up the other issues to in order cloud the core argument and take the discussion to irrelevant points.

And your response to everything so far has consistently been a very long and tedious variation on "So what I don't care, it's their kernel they can do what they want, besides I like having more RAM, so there!" Pardon my paraphrasing. But obviously we can't have a sensible discussion when this is your core argument.

I get it that you think those of us who complain about PatchGuard are cry-babies that's your opinion. But for you to go to such lengths to justify everything that is wrong with PatchGuard, when you don't even have a stake in it, that's just wrong.

* * *

Final word abou security. Again: Windows 64-bit is more secure thanks to mandatory driver signing. There is also mandatory driver signing on 32-bit Windows by enabling a policy setting. If you complement this with some HIPS that will guard this policy setting against modifications, then you have virtually the same net result.

 

Perhaps in good spirit, and with no bad intentions, but certainly not very kind. Which is to say: Here I am in the middle, on one side I have the alternative of disappointing fans of Sandboxie by not releasing a 64-bit product. On the other side the alternative of releasing a 64-bit product that I am not happy with. And there is Windchild telling me to take it and shut up, and when I try to explain the injustice I feel, he ultimately falls back to - you know what, I don't really care, I'm happy with my extra RAM. So it feels like he's trying to antagonize me but I will give the benefit of the doubt that it is in good spirit.

 

Well,

I can only speak for myself, but the effort you put into his circle reasoning (direct translation from Dutch) is noticed and the points you made mattered to me.

Regards Kees

 

well how much of the said security of 64-bit systems to do with the unpopularity/low % usage of that architecture ? for i rembember prevx help commenting this...

 

Thanks Kees, I appreciate that.

 

.
Yes, at this point it's very premature to conclude that 64 bit Windows is more secure based on infection rates. Like the MAC it may only be the result of malware writers not making the effort to target the 64 bit OS since relatively few people are using it. This is beginning to change though because more and more desktop and laptop PCs are being sold with x64 Windows pre-installed. At some point they will be targeted.

 

Tzuk, I certainly never intended to say that PatchGuard is certain to avoid or fix 50 % of all BSODs. That would be crazy, there's no data to support that! If I have said that, please show us where. And if I really said that, and just don't remember doing so, then I owe you all an apology - sorry, I messed up big time, it is not true, PatchGuard does not prevent 50 % of BSODs.

But... if you're referring to my statement about how roughly 50 % of BSODs that I have personally seen were caused by some security software, mostly AVs, then I would like to point out that I did not say that PatchGuard would "avoid" all those BSODs caused by security software. This "50 % of BSODs Windchild has seen were caused by security software" statement was made only to show that in my real world experience, security software certainly is not flawless and really does cause crashes, which means there's a valid reason for MS to wonder about whether they should be letting anyone and everyone to freely patch their kernel. I will now quote that statement in its entirety, and show that it doesn't make any mention of PatchGuard fixing those BSODs.

So, I think we have a misunderstanding here. Maybe that's due to my boring style of writing, or something like that. Perhaps the first paragraph that talked about MS doing something to stability issues made you think that I was claiming PatchGuard can fix all the BSODs caused by security software that I have seen. I should learn to write shorter texts, but I was never good at that. Honestly, way back when I was in school, I always went over the word limits when writing some paper, and had to work hard to avoid that.

More recently began to accept? No, that's not really what I thought. As far as I can recall, I never said that PatchGuard can do anything to prevent rootkits. (Again, if I did say that, I must have been drunk, and apologize.) All this time, I was saying that PatchGuard is MS's imperfect attempt at doing something to stability and security issues caused by kernel patching, even by legit software. But really, I don't think it's any anti-rootkit solution.

"Initially", in my first post, I argued against your example where Sandboxie is the police of the Windows world, and said that the police is actually Windows and Sandboxie is a third party hired security guard or kind-hearted merc or something. I criticized the line of thinking that on some OS security is a matter of what third party security software can do. I said that whenever Microsoft does "anything" to make an OS more secure some people have reason to complain. Only after that I made statements about PatchGuard, and claimed it is good because it's within Microsoft's rights to implement and because it's doing something to the stability and security issues caused by kernel patching, even something far less than perfect but still better than nothing. And yes, security and stability are related. PatchGuard isn't blocking rootkits, but it does address some stability issues, and better stability translates to better availability, which translates to better security (CIA triad, and all). So really, I don't see where I've said that PatchGuard will do something about rootkits and then have backed down from that statement.

Yes, we're talking about PatchGuard. But the topic of the thread is 64-bit systems and anti-malware, and in this thread people have wondered whether to go 64-bit anytime soon at all, due to some issues with security software. It is all related: the effects of PatchGuard, third party security software, the good sides of 64-bit. Obviously, I can separate driver signing and additional RAM being good from what PatchGuard does. And have. But those things still relate to one subject: 64-bit systems and anti-malware software, which oddly enough is the subject of the thread. And to me, there's nothing irrelevant about this. 64-bit Windows gives you more RAM, and that is good. It gives you PatchGuard, and that is either bad or good depending on whether you are Tzuk or Windchild or someone else. When you know the good sides and the bad, you do some counting and see what the big picture is. For me and most users, more RAM is good, PatchGuard's effect on stability is either good or at worst neutral, and PatchGuard preventing some obscure security software is really not a big deal when we don't use it anyway. When you sum that up, looks like it's a good idea for most to at some point jump to 64-bit without worrying about getting owned without Security Software X. So, the benefits of 64-bit are not irrelevant to a discussion where people wonder whether they should go 64-bit or not! Obviously in such a discussion the benefits and negatives are both important to consider! As for the benefits or negatives caused by PatchGuard, I think PatchGuard is good, and you apparently think it's bad. Well, that's where we have to disagree. I support what PatchGuard is intended to do. I know that it solves some issues, and leaves others. I know that it also causes problems for some, but I don't mind that, since those affect only a minority. And further, I hope that you devs and Microsoft can ultimately reach an understanding where MS gives you the interfaces that you really need to make your software as good as you want it. But if MS doesn't do that, I can live with that, too, and if someone else can't, then it's really just "tough" - there's always Linux or OS X. But I hope it doesn't come down to that.

My core argument is: "Even if you can't run some security software X in Windows 64-bit, that is not a disaster, and you can still easily be safe in 64-bit Windows. So, don't worry. Jump to 64-bit when you feel like it, and don't fear that it will make you all insecure. 64-bit has some nice benefits that should boost your productivity, enjoy them. As for PatchGuard, it has a good purpose, and doesn't harm most users in any way they'll ever notice, so I support it. You can disagree with me, and I don't mind. Just don't hate me too much even if I don't agree with you." And look, I managed to explain it in a single paragraph now, without being too tedious, I hope.

No-no, I don't think you're cry-babies. That would be very foolish of me to say. But I think some of you do worry too much, because 64-bit isn't any security disaster even if your fave security software doesn't work on it. And I think some of you spend too much of their time being generally angry at MS when they could spend that time thinking up ways to make MS give you what you want even if that is a difficult task. Like I said, if you end up starting a petition to appeal to MS to give you the interfaces you need to do your thing as well as before, I will sign it, as long as you don't demand doing away with PatchGuard entirely or giving a simple option to disable it. And further, I think some of you place far too little value on productivity and far too much on obscure security software, no matter how good.

As said, most users rely on the default configuration. Which is why admin by default was such a bad thing. In 64-bit driver signing is the default, in 32-bit it is not the default. Big difference there.


All in all, I really do NOT have anything against any of you. Honestly. I'm not trying to antagonize Tzuk here. I know I'm not the kindest guy you'll find anywhere, and I've been called worse things before for good reason! I'm just trying to show a different, but still realistic point of view: "Sure, devs and fans of security software don't like PatchGuard, but most people really don't know about it, and will not care. And 64-bit does have benefits that make it worth small costs here and there..." It's not a "nice" point of view, no. But it is realistic, and rather common. For example, the people I know on a face-to-face basis practically all consider it completely irrelevant if PatchGuard prevents even all HIPS products and such - they're happy people as long as they can run the system and do their productive tasks without getting owned all the time, and double-happy if they can get more RAM, and still more happy if PatchGuard may improve stability.

But, I have understood for some time that there is a permanent disagreement here that can't be done away with. I can understand and accept your point of view. I just don't fully share it. But I'm not sure if you can accept that my point of view might be more than me just being unkind and inconsiderate, and that my point of view is actually based on reality, where most really don't suffer if some programs go away, but will still gain benefits from more RAM and maybe they'll even get less crashes due to PatchGuard. It's not all bad and there are benefits even to PatchGuard, is what I'm trying to say.

Perhaps I would have caused less offense if I had chosen my words more carefully earlier, but at that time, I of course didn't have the brains to consider that. But, if it makes anyone feel better, they can read here that they're right and I'm wrong, and feel better. But now, we still haven't gotten MS to give you the interfaces certain software need. That's the real task.

 

Way above me all this Patchguard jargon but I'll throw in another aspect:

"Trust and Confidence"

I have way more trust and confidence in Tzuk and Sandboxie than anything MS security related.

 

agree with you 100% look at my signiture do you think i will trust microsoft?no way "jose"

 

Count me in on Kees' opinion, too.

Windchild, I have tremendous respect for your technical understanding and will admit you presented a very compelling argument (you are well spoken) for your support of Patchguard, but I don't like your "corporate-like" attitude where you agree to a sweeping change that affects everyone, including highly skilled and, maybe more important, highly responsible developers like tzuk and Ilya. When I say corporate I mean it is so typical in the corporate world to make an all-encompassing policy change that affects absolutely everyone, because it is simply "easier" this way, rather than address those few employees who have one way or another violated the current policy. I have worked in the corporate environment for many years and this is a disturbing (to me anyways) attitude I have seen many times over. Microsoft could show some backbone and pioneer a merits type program to allow responsible developers the necessary access to the kernel if they wanted, but they can't be bothered and are likely even afraid to address the inevitable repercussions that would accompany such a policy. They are more interested in looking after their own concerns rather than do the "right thing".

Anyways, this did turn out to be a great thread; very contentious at times but good points presented from all main participants, particularly, ssj100 (aka haha ) , Kees, Windchild, and of course tzuk, Ilya and Prevxhelp

 

Well, like I said, I don't mind if people disagree with me. It would be strange indeed if no-one did. Instead of getting everyone to agree with me, my goal is rather that people at least see that there is another viewpoint besides their own, and that this different viewpoint may be logically valid and not evil, even if it is disagreeable to you and based on moral values that you don't share. And further, my goal is that no-one is "scared off" from 64-bit because of being afraid for their security in the new environment. It's entirely ok, of course, to avoid 64-bit simply because it does not run certain software that one really likes. But that's that, really.

I don't think I deserve much respect for technical understanding - there are devs around with far greater understanding than mine in this thread. As for being well-spoken, if I was, I wouldn't get caught up in debates like these!