64-bit systems and anti-malware software

I was about to respond, but apparently the match is not over, so I deleted it.

Personally, I would prefer to see the developers battle it out without the distraction of uninformed user opinions.

 

As both approach the question of "what is secure?" from different angles, this can only be characterised as "wishful thinking".

Regards,
W.

 

If you created this thread in the hope that Ilya, Xiaolin and Tzuk would make comments, then maybe you should allow them to do so without helping to saturate this thread with uninformed opinions.

 

Friend, no one cares about your opinion of my comments.

Can't you give professionals some space to come to a resolution?

 

After over three years of reading comments on this forum, this is greatest post I have ever read.

It inspires confidence, and I will definitely add Prevx to my list of "must try" software.

Best regards,
W.

 

Can digital signatures provide all the protection provided by patchguard? If so then why stick with patchguard?

 

I think you will find that they will be much better at thinking out of the box once it becomes financially viable to do so. Necessity being the mother of all invention!

 

Id like Ilya's response to this as well.

 

Ah thanks for that Tzuk!

 

No, digital signatures allow a user/the OS to know what company a certain program or driver came from but outside of that they don't provide any additional protection. Granted, a vendor needs to go through hoops to get a digital signature for integrating with the kernel now but it is possible that the vetting process isn't perfect (or that "two" vendors will work together - one creating "legitimate" software which intentionally, but apparently unintentionally, exposes a flaw and the other exploiting that flaw).

The benefit of Patchguard is that it levels the playing field for most software developers, forcing them to use a standardized interface to do things that have been largely haphazardly done. It's still very possible to mess things up using the new framework but it is less likely.

Malware authors can, of course, still get around Patchguard (so can vendors but they will quickly have their kernel rights revoked) but this would require them to first have a digitally signed driver and then a massive amount of hackery - far more than in 32bit and it is orders of magnitude more difficult.

 

1) This is a fantastic thread ssj, and I would also like to thank Tzuk, prevxHelp and Ilya, especially the former two, for their participation. The exchanges between the developers gives one a better idea of the issues with patchguard and the possible workarounds.

2) Whats really interesting is that prevxhelp is a competitor so one would assume that whatever tips or hints he gives are merely the tip of the iceberg in terms of what is possible. It just makes one wonder what other tips and workarounds prevx have figured out, which could be utilised by guys like Ilya and Tzuk.

All of this just confirms my initial suspicions that the only real limiting factor was the popularity of 64bit, and once its market share was viable developers would find a way, atleast to deal with most problems.

 

I see. Thanks for your response. It seems to me that getting the drivers signed is the more difficult part of the equation than hacking patchguard.

Also if windows 64 is inherently more secure out of the box, then one wonders if using slightly weakened antimalware solutions, in comparison to 32bit, might not actually produce equivalent or perhaps even superior protection to that achieved by those same solutions on 32-bit.

For example if a vendor could get the 64bit version of their product to provide lets say 90% of the protection provided by the 32bit version, would this, together with the extra protection afforded by digitally signed drivers and patchguard make up for whatever protection was lost by trying to make the products comply with the limitations introduced by patchguard in the first place.

 

Let me try to resume what I understand of PrevXHelp/Tzuk/Ilya

1. A behavioral HIPS looks at the same intrusions as a classical HIPS, only difference is that Behavioral HIPS (or one combining several strategies such as PrevX), analyses the pattern of intrusions and only pops-up a warning when something is suspicious.

2. A virtualisation or policy management HIPS are also clasiscal HIPS, only they apply a strategy to don't ask the user every time an intrusion occurs:
- Sandboxie: don't make the changes in the real world, but in a (temporary) copy
- DefenseWall: prevent the contained application OR the file it has created in a stronger than limited user environment, so it can do not lasting damage. Everything within these bounderies is allowed, everything exeding, denied

==> Tsuk, Ilya and Xioalin need a secured and safe boundery which prevents the process or object from crossing the line. PrevX on the other hand also has a behavioral analysis component. When a developer digs three levels beneath the obvious and easy high level interface, this automatically makes it a very suspicious action. Because there is no reason for a normal developer to use these low level commands. This means that PrevX can send a programs showing this behavior for analysis to their servers (behavioral trigger) and mark it (blacklist) as malware when it indeed performs malicious actions.

==> This explains why PrevX can find ways to deal with the limitations and Tzuk, Ilya and Xioalin not.

==> Interesting claim of some of the one man bands is that some of the larger security companies, just keep the same basic architecture under x64, while missing the guarantee to fully protect, because 90% covered is no real security solution. When sandboxie would virtualise 99,99 % of the actions of a contained program, the 0,01% it did not virtualise would most likely screw the integrity of the system (same applies for DefenseWall in a different manner)


4. Signed drivers means that the producer of the software is "trustworthy". A signed driver is software which can have exploits (software bugs in untested situations which could be exploited by malware), or even worse as PrevX pointed out, two companies could work together (one offering an opening, the other exploiting it). So yes signed drivers would be a solution when no villians/cyber criminals lived in this world, signed drivers just raises the bar from script kiddies to professional malware writers and funds of criminals backing the developors to write malware. EDIT please understand that this is cinically intended: Signed drivers are no real soluton


Cheers Kees (please respond when this is not correct)

 

OK, I got it- you don't lock your flat because the the hall is secured.

 

Yes, it is one of the possible solutions. Not ideal, but possible...

 

In fact, it's the solution protecting the platform against rootkits. It is possible to write a rootkit with official driver-level filtering API + DKOM.

I don't know. I don't work for MS.

 

You see, there is one more thing here- at x32, if we find a new way malware can penetrate, it is quite easy to bring a solution. With x64 restrictions, we don't have such the confidence. At least, as you can see, screen grabbing protection is the real problem. Same issue with the "virtual memory" subsystem and few other things must be covered.

 

I have no idea about third-party software. I can say only for my software and my work.

 

PrevXHelp made an execellent post explaining it, I will try to explain in layman terms.

In an OS you have routines or modules which do a lot of task for you, comparable when you make a Macro or automate a sequence of actions with the task scheduler. So for intance when you would open a file, you could call a routine (easy accesible even for script languages) that would be called f.i. Open_File. This Open_File would prompt a standard dialog box with your defined skin (or the default user style default of XP, Vista or Windows 7).
And the user can enter the file to open, or navigate to the correct folder and select.

So instead of writing all this code yourself, you can call these routines with one simple 'call' to this routine.

This FIle_Open routine also consists of pieces of code and commands. So instead of using the File_Open, I could call to a "function", or even a high level statement (doing just one thing for all OS-ses complying to a certain standard e.g. NT or x32 or x64) or a low level statement (only guranteed on a specific OS and a specific patch, because displacements etc could be different in the next patch). What PrevX explains and Ilya and Tzul are arguing, you can not stop this in x64. Only difference when I use a low level statement this in itself is suspicious (all programmers are lazy and try create as many functionality with the minimum amount of code), so one of the PrevX defense mechanismes kicks in (send it for analysis to the central servers).

Because there is no way to stop it, Ilya and Tzuk can not make their software work.

For PrevX that single user might be infected, but they can create a blacklist fingerprint to protect all their other users and possibly provide a post-intrusion cure for the poor user who is hit by this malware.

It is the reasons why animals live in flocks/heards etc. Only now there is a nice park ranger (prevX) who runs in with a heart-reanimation (do not know the proper english word for it) device and try to kick some live in the attacked animal. It also provides a photo of the villian so the flock/heard will run when they see it.


Also from the answers of PrevXHelp (it is at least 25 years has been passed since I was involved in IT as system architect/designer), it seems that Ilya and Tzuk are making it more of a principal discussion. PrevX help tackles most of their complaints when you correlate intrussion risk and impact (nearly every car which is sold can drive harder than the maximum speed limit, still government allows sales of those cars)

 

I don't get how you can say it has any benefits, other than to Microsoft, after all we've talked about here.

For those who didn't understand the technical stuff -- think about a bank robber driving down some main street. The police used to be able to put road blocks on the main street, but now there is a law that says they can't interfere with the main street anymore. So PrevxHelp has an idea: The police will put road blocks on every street that branches off from the main street.

The bank robber is the malicious code. The police is Sandboxie. The new law is PatchGuard.

PrevxHelp I suppose you're quite proud of your clever little idea, but seriously, if PatchGuard requires such crazy solutions to real problems, then does it really have a benefit?

And please don't tell me that this is only a temporary situation until Microsoft develop new official interfaces. Because this temporary situation is built into the design of PatchGuard. There will always be some missing mechanism that Microsoft still has to address but is dragging its feet.

If Microsoft wanted to make the kernel more stable, they could stop pretending that people don't do stuff like hook SSDT. Imagine that instead of PatchGuard, they would offer an official Hook-Kernel-Service function?

I'm just amazed that you want to support something like PatchGuard which is effectively converting an open market into a tyranny and a bureaucracy. In all of history, concentrating power in the hands of a few, has never been a good idea.

 

I was serious, it's not a joke.

 

I've chosen to mostly stay out of threads like this, because they generally don't accomplish too much beyond just making people angry at each other - as we can see from the personal attacks and gibes in this thread. But I'll chime in with one comment. Get your flamethrowers ready.

And that is exactly the problem with the thinking of many people, and especially with third party security software vendors: they think security is the responsibility of some third party, instead of the user and the author(s) of the operating system and installed software. One might call that "practical" thinking, but if you only apply that kind of thinking, we end up in a huge mess.

Sandboxie is not "the police", as in the group of persons hired officially by the government that represents the people to offer protection to said people from criminal elements. Sandboxie is "some private security guard company" or "a group of kind-hearted mercenaries" hired by the bank. Windows is the police. How good it is at being the police is a different issue. If one understands that Windows is the police, then one also understands that Microsoft is the government (as far as their own OS is concerned), and the government will generally try to make laws that make things easier for the police to perform their tasks. The government isn't trying to make life easier for mercenaries or private security contractors. No, the mercs and the private security contractors will have to try and follow the laws, or move to a different jurisdiction. The government doesn't want the mercs and private security guards to be setting up roadblocks all over the place - that's the job of the police. If that makes things harder for mercs and private security companies, tough. People generally want the police to be effective, even if it makes some private security companies unhappy. Hey, no private security company is going to like it when the police are so good at preventing robbers from ransacking your house that you don't hire their guards and buy their security service to protect your house. This is exactly what's going on in the Unix world with AV products: the AV guys are trying to hype their products up and yell Unix is going to need them so badly, but users just don't care, because they feel that generally the police (the operating system) does a good enough job.

If Microsoft makes its systems even a bit more secure - or to use the police analogy, if the government gives more authority and manpower to the police so they're more effective at protecting people - third party security people may end up being unhappy about it. That's life. One main gains, another man loses. The users - "the people" - should understand what motivates private security companies to complain about something the government and the police do or don't do.

And no, this isn't intended to be an insult to anyone. If someone feels insulted, sorry, wasn't my intention. I'm just calling it like I see it - and everyone who thinks about these things should already know it anyway. Let us imagine a different world where we have a new operating system called "Doors" that is made by someone called "Microsift", and it is the most fantastically secure OS ever seen - no-one has ever even heard of a case of any user of "Doors" being infected with anything. Let's imagine that this OS steals number one market position from a OS called "Windows" made by "Microsoft." Now, what do you think all the third party security software vendors are going to think? Think real hard: are they just all happy-joy-joy about the appearance of the "Doors" OS, or are they going to hate the thing for making the stuff they're trying to sell useless to most people? Answer that question, and you'll know one of many reasons why a lot of folks are whining about any security change or added protection Microsoft might ever make to their OS.

And to answer the questions the original poster made:

I will do exactly the same thing I've been doing on 32-bit systems. I would ditch absolutely any single piece of software for an operating system that supports a lot more RAM. Some security software? I'd ditch it every day of the week and twice on Sundays! I don't run my systems for security software. I run my systems for me to do useful things with them. Am I going to install some anti-malware software on my 64-bit systems? No. Am I going to care if some anti-malware doesn't work on 64-bit? No, absolutely not. Am I going to get the most out of my 64-bit systems in productive use, and still go without being infected, while saving money? Yeah.

Sounds good to me.

 

Does a "security change" guarantee "added protection"..!?

Back to the police analogy - A government restricts private security firms from using any kind of force against potential criminals, because now only the police (with additional powers) are allowed to do that.. but if in fact the police are not a lot more competent than they were before....

btw, I am not making a judgement on the software issue, simply asking the layman's question.. ie it depends on whether suddenly the police really are bucket loads more competent, or whether the total net effect may be reduced security / less personal freedom of choice / depending on whatever your personal criteria are..

Peter

 

"jump in"
Excellent post Windchild. I totally agree. After reading this very educational thread it was begging the question ...Which is more important the OS (productivity) or the Security software. Seems like security software was coming before the OS instead of the other way around.
"jump out"

 

Obviously I take the opposite side and I think there is a problem with YOUR thinking. I take it from what you write that you don't appreciate free competition and you prefer that one entity (in this case Microsoft) is responsible for each subject (in this case operating system and security). As I said before, history shows this kind of thinking produces sub-optimal results.

None of us is against Microsoft tightening the security of its operating system. In fact if the operating system was insecure to the extent that the very foundation is merely a facade, then none of our security tools would be any good anyway.

But what we are against (Ilya and I, anyway), is for the largest entity to make it difficult for smaller entities to participate in free competition.

You may not care about this, in fact it is obvious that you don't care about this. This is not unexpected and certainly you're not the only one with this opinion. But please just say that: Say that you prefer having more RAM to the availablity of some obsure security tool. But don't try to justify anti-competition behavior as better security.

Mandatory driver-signing by itself achieves the goal of blocking bad guys from infiltrating the lower levels of the system. I don't object to that. Only to PatchGuard, which seems to have the goal of blocking the good guys.