64-bit systems and anti-malware software

Good to see that someone has a very solid aristotelian logic here.

It's the better way to avoid be confused with the common sophistics'tactic: confusing or illogical argument used for deceiving the evidence; evidence isn't their core motivation - instead they like rethoric and words and more words, that allows to encircle logics arguments using circumstantial evidence to dissemble the real and direct evidence.

Appearing and seeming but not really being.

Like isn't common to see such insight in this forum: my congratulations!

 

Ain't that just what you got through doing?

 

That's what I was thinking...

 

Typical ad hominem argument and logical fallacy. Ad hominem arguments are always invalid in syllogistic logic.

Once you like it you can resumes the circles alone.

 

Yeah, they're long. I'm rather quiet now, though.

And yes, certainly there will be patches to 64-bit Windows vulnerabilities. There already are many. All software that does anything much, practically, has vulnerabilities and fixes to them. Mostly impossible to avoid.

 

.
I find your POV inconsistent. If, as you say, you don't deserve much respect for technical understanding then why are you engaging in a complex debate about core programming issues of the Windows OS as if you do understand? If your personal opinions are not based on technical understanding, then how can you make valid generalizations? What then is your basis for re-assuring people that they shouldn't be scared-off of x64 because of security concerns? Are you saying "Don't worry, be happy"?

 

Even full machine-level virtualization doesn't introduce "dramatic" impact on performance, specifically cpu performance. Sure there're still enormous limitations and overheads : ram,space, GPU. All combined makes it too cumbersome for everyday casual or scenarios like when testing some new applications and garbage being left in system is undesired.
Booting the virtual machine, having it eat away a gig of ram, still have to take additional measures to keep virtual OS clean(snapshots, sandboxie etc).

Moreover i don't consider things like Deepfreeze, Shadowuser, Returnil feasable solutions for home PC - usability comfort overhead incurred would on par or greater compared to booting full VM, security provided - less. Still possible to defeat their hooks etc.

Device-level access-filter approach as in 3 abovementioned products doesn't just cut it(naturally it has it's uses in corporate/public access pc etc. areas). It's a big plus to know what files application installs/changes, sometimes registry keys. System-wide vs individual process-specific access control, latter wins.
Constant need for restarts to do actual changes to system IS a big deal.

So apparently there's a specific area of taks where Sandboxie really shines. Ofcourse even with kernel hooks/no patchguard protection is not 100%(historically there've been exploits that allowed even virtual machine containment to be escaped and code executed on host OS), but something close to that can be achieved if application being sandboxed runs with normal user rights.

Now back to virtualization.
If what Vmware Thinapp(former Thinstall) developers claim is true it provides sandboxing via usermode virtualization. That should provide level of security equal or greater to kernel-mode hooks. Found some article with specific figures on overhead http://www.xpnet.com/appvirt2008.pdf Claims to be 20-40% if i read it correctly.
That seems strange as from articles i've read before on native vs full virtual machine cpu peformance overhead is much smaller. Article with comparison of usermode virtualization vs full machine-level virtualization would be interesting to read.
Too bad they don't offer security-oriented product based on this sandboxing. Though one could package cmd.exe only and get somewhat of sandbox i guess.

There's a mantra proponents of Patchguard keep on chanting "It's MS OS, they do whatever they want. MS knows what's better for users". Why doesn't MS implement Patchguard in 32-bits? Answer is simple, they wouldn't be able to handle public backlash. So much for their rights to do whatever they want with their OS. Would they not listen maintaining Patchguard'd simply become a liability. There're examples of most draconian drm and copy protections falling because of widespread negative opinion of them. Now maybe MS would still stubbornly not provide users with option to disable Patchguard on x64. That's where liability part comes in, they can only keep releasing updates against bypass techniques for so long and complicate it's protection only so much.

Oh really? Is 32-bit any different about drivers signature than 64-bit?
There's another mantra "allowing users to optionally disable Patchguard defeats the whole purpose".
Wait, but MS opted to "compromise" another big security feature of theirs, that exact driver signature enforcement. Doesn't it look like a greater security tradeoff for sake of common sense than allowing to disable Patchguard? Kernel-level unsigned code yes, patching kernel - NOO way. I'm talking about testsigning mode allowing to load self-signed drivers, even on x64 OS, even on Win 7.

This concerns third-party security vendors too. The claim "we can't play it rough with MS and disable Patchguard, MS is going to revoke/blacklist our signing certificate/ban us from kernel-land" - not truely valid. x64 drivers can be provided self-signed requiring users to run in testsigning mode - a small inconvenience imo and not really that big of security compromise since if provided with administrative privilegies needed for driver installation malware intent on installing drivers could easily make use of signature bypass methods too.

Would be interesting to see Patchguard coexistance solution based on hypervisor using VT-x, Amd-V as a very generalized approach. Sure not all CPUs support that, but that' not an issue in this case. A PC with 6-8gb of ram and x64 cpu is unlikely to be equipped with some "value" version of that CPU without this technologies.
They promise to patch all bypass techniques, but IMO MS would likely just let it slide if you hide from Patchguard using a hypervisor. There're legal hypervisors out there so they can't just deny them all and not too likely they'd go to such extents as detecting specifically if hypervisor is concealing kernel hooks from Patchguard.
Eventually they'll have their own hypervisor in mainstream OS, perhaps invalidating this possibility, but not sooner than 3-5 years from now.

More rocks need to be thrown into 3rd-party ISVs garden. In the beginning, like 2006, there used to be a lot of discontent and noise, complaining about Patchguard. But then everything went silent. Have they found a miraculous way to provide equal or at least close to former level of security? Not really. But they invested into inferiour ways to provide at least some level. And most prefer users to stay unaware about shortcoming of 64-bit versions of their products. Instead of pointing that shortcoming out in bold right letters and naming the party responsible. This is definitely very wrong approach that deserves criticism.

It's all worked good so far because of very small x64 market share and little interest from malware authors, but that's going to change soon, especially with Win 7 release many may opt for x64 to make full use of their RAM... And lets hope it won't be malware authors who realize first what a fine gift MS brought them here by driving out security vendors from kernel.

 

Moving this week. I have Win7 on pre-order and legal access to select volume licensing through my work.

My new build will have 12GB memory, so 64bits it'll be (memory due to massive data set analysis).

I still haven't figured out what the complete setup will be, but my reasoning currently is roughly this:

If I can do away with as many a 3rd party security app as possible then I'll be a happy camper. All that, without comparatively losing a lot of security compared to my current 32bit XP build.

The more streamlined my setup, the less headaches I have from it. To me security is a combination of behaviour/awareness, security rules/tools and usability. My current setup takes too much time to build / add exceptions and deal with issues coming from the security software. I don't like that, so I'll try to prune the setup down in my next build.

Also, finally I hope that many people will not upgrade to 64bits for a long time. Comparatively it'll then remain a less interesting attack platform and that may affect the amount of ITW exploits for it. I have all the device drivers I need already, so my support is good enough.

So, just don't upgrade to 64-bits, pleeeeease

 

Please note how I didn't say that I "don't understand." I said some people have a greater understanding. Those statements are quite different, really, at least in the kind of English that I have learned. One person can know enough about firearms, for example, to be quite effective with them in practice, but then someone else may have much higher understanding in building them - and yet they can still discuss and the person with less understanding can still have valuable views and input. And this debate is of course about much more than just core programming issues. It's also about the user perspective. But I think I won't go through all of that stuff again, when people found it tedious to begin with!

As for the basis for re-assuring people that they shouldn't be scared-off of x64? The basis is personal experience, and a much higher level of understanding of the technology involved than most people have, even most people posting in security software forums - obviously that doesn't include professional developers and such, who obviously have a still higher technical understanding than little old me. Note, though, that developers often have different desires than even rather knowledgeable users, since developers often aim to sell things, and users aim to use things. Windows in 64-bit has the same good old NT security model as 32-bit, and some enhancements like driver signing being required by default. You can run Windows 64-bit more than reasonably secure without some of the highly loved and recommended programs often mentioned in this forum. That's why I say there's no reason to worry. But no-one has to believe me - it's a free world. You can worry, if you want. Or you can try for yourself and see whether you can run 64-bit safely and whether there is a reason to worry. I can run safe in Windows 64-bit. A lot of other people can, and many much better than me. And to tell you the truth, those people who really honestly can't, probably couldn't do it even if they were running all the security software in the world that ever worked on any OS.

Yeah, really. The driver signing requirement in 64-bit is a security improvement that really does help. No-one in this thread said that it's perfect, or impossible to bypass in any way. As for 32-bit being any different about drivers signature, you've lost me there. Fact is, in 32-bit Windows, driver signing requirements are not enabled by default. Sure, the technology may be the same, but the defaults really do matter.

Well, sure, that would be a greater security tradeoff than allowing to disable PatchGuard, since PatchGuard really isn't a security feature any more than UAC is. It may have security impact, sure. But to me it seems that PatchGuard is mainly about stability, just like UAC is mainly about kicking devs up the rear-end so they'd start remembering that not everyone is an admin all of the time and not all software should be allowed to do absolutely anything without confirmation from the user. So, allowing to disable PatchGuard would be more of a stability than security tradeoff, and maybe everyone doesn't want that. A novel thought.

As for the issue of MS not enabling PatchGuard in 32-bit, well duh. Microsoft themselves openly state why they don't: it's always easier to make changes that break stuff in situations where a lot of stuff inevitably breaks anyway. That really has nothing to do with what MS has the right to do with their own software. Because, you know, when you have the right to decide what you do with your software, you can also use that right to decide that you won't make great changes to your 32-bit OS if it would annoy your customers, but that you'll make the changes in 64-bit versions where other big changes happen anyway. Obvious stuff.

Finally, I'd say one thing about security in 64-bit. If you're running happily along as admin, and you're the kind of user who knows little of security issues, it's not exactly a slam dunk that security software would save you from ever getting serious infections. Many people really have neither desire nor skill to run complex security software. Many people have trouble with a simple AV. We've seen how "effective", or if you prefer "ineffective", the most popular anti-malware software are in keeping a system forever clean - in 32-bit. That in mind, there's no reason to think things will enormously change in 64-bit. There will still be a whole lot of people getting infected, just like in 32-bit, and often in spite of security software. Realistically, that's how it is. 64-bit may be an improvement in some ways when it comes to security, but there's no way to make such a great improvement that it would prevent certain people from getting infected. Dancing pigs, and all. Will 64-bit somehow leads us to even much worse infections, much more numerous than before, that couldn't have happened in 32-bit? I really don't think so. But we'll see soon enough, won't we.

As was said before: there's a big task ahead for people who want Microsoft to give them documented, legit ways to do what they want with their security software to offer strong protection. Lobby, lobby, lobby, I guess.

 

Definitely agreed, and I'll apply that to all of the vendors in this discussion and those who develop(ed) the other software I use. It's not just a question of trusting MS to properly secure a system. Some of Microsofts own activities are questionable. On an older 32bit system, a classic HIPS enabled the user to have at least partial control over that, a balance of power. I don't claim to understand everything in this thread, but it looks like that balance is gone on 64bit, and MS has total control over those systems.

Before anyone says "If you don't trust MS use something else", all of the options have their own problems and/or limitations. Windows has been the option best matched to my needs, until recently.

 

If that is true, then, it looks like a fascist move. Curent financial system of Globalization, trade liberalization and focus on Virtual economies seems to breed Monopolistic tendencies of the Immortal and Immoral Corporations and in some way, people tend to be treated as livestock. Sorry, been reading too much conspiracy theories though those undeniably carry some pearls or kernels of truths amongst the bunch of crappy stuff like UFO stuff, outright lies and deceptions, pseudoscience and hidden agenda(Read the Bilderberger, Council of Foreign Relations, etc.)

Hello, folks. Welcome to the Matrix.
We are now living in Userland. ha ha

 

Depends on your XP setup now but, WIn7 UAC, PGS , MSE and Windows7 Firewall control (see https://www.wilderssecurity.com/showpost.php?p=1523049&postcount=1) is an easy and pretty strong setup. I always use Windows FireWall control to get the correct progams who want go outbound, then I use Stems's post to make the FW quiet (see https://www.wilderssecurity.com/showthread.php?t=239750&highlight=Vista FireWall Stem) and de-install Win7FWC

Great idea, lets keep x64 an un interesting OS like Mac and Unix, so malware writers keep on focussing on the large x32 market

 

Well the gamer does not want anything else. He handled the RAM usage of x64 by putting in 8GB RAM, runs only x64 or Vista's own security aps.

 

I'm a gamer - but a knowledgeable gamer. If he was too, he would at least not buy 8 Gigs of RAM now, unless he wants to waste money cause he thinks it's fun or something.

 

He was a fanatic, until he found out that being a Dutch top gamer did not help wth his school grades. Possibly his increasing level of testeron also helped him to switch from web contact to phisical contact (meeting real girls that is).

All the gamers I know waste money, buying new video cards while half a year later they are half the price. So all your remarks apply I think (he started Vista x64 with 2GB, doubled to 4GB which was a great improvement, so he problably could not resist doubling that to 8GB)

 

It's the matter of the credit and debt system over the monetary policy for computerization and you'd better get used to the Windows x64 platform soon.

With the help of the internet of the MS, the world banking system is getting better off.

 

What?

 

LOL, that's exactly what I thought too. We'll have to wait for the next cornflakes box that has a decoder ring in it.