Kernel Patch Protection

From Wikipedia, the free encyclopedia

Kernel Patch Protection, informally known as PatchGuard, is a feature of x64 editions of Microsoft Windows that prevents patching the kernel.^[1] It was first included with Windows XP x64 in 2005.^[2]

Contents 1 Advantages 2 Criticisms 2.1 Third party applications 2.2 Weaknesses 2.3 Antitrust behavior 3 External links 4 References

[edit] Advantages

Patching the kernel has never been supported by Microsoft^[2] because it can cause a number of negative effects. Kernel Patch Protection protects against these negative effects, which include:

• The Blue Screen of Death, which results from serious errors in the kernel.^[1]
• Reliability issues resulting from multiple programs attempting to patch the same parts of the kernel.^[2]
• Rootkits can use kernel access to embed themselves in an operating system, becoming nearly impossible to remove.^[1]

Microsoft's FAQ about PatchGuard explains^[3]

Because patching replaces kernel code with unknown, untested code, there is no way to assess the quality or impact of the third-party code...An examination of Online Crash Analysis (OCA) data at Microsoft shows that system crashes commonly result from both malicious and non-malicious software that patches the kernel.

[edit] Criticisms

[edit] Third party applications

Some computer security software, such as McAfee's McAfee VirusScan and Symantec's Norton AntiVirus, works by patching the kernel. This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.^[4] Interestingly, Sophos's corporate antivirus software does work on x64 editions of Windows.^[5]

Antivirus software made by competitors Sophos and Kaspersky Lab does not patch the kernel. These companies do not feel that Kernel Patch Protection limits the effectiveness of their software.^[6][7][8]

Contrary to some media reports, Microsoft will not weaken Kernel Patch Protection by making exceptions to third-party security applications. Instead, Microsoft is actively working with third party companies to create new Application Programming Interfaces that will resolve any problems Kernel Patch Protection creates.^[2] These new APIs are expected to be included with Windows Vista Service Pack 1.^[8]

[edit] Weaknesses

Security researchers Skape and Skywing published a report that describes methods, some theoretical, through which Kernel Patch Protection might by bypassed. Also, security company Authentium developed a working method to bypass Kernel Patch Protection.^[9]

However, Microsoft is committed to remove any flaws that allow bypassing Kernel Patch Protection as part of its Microsoft Security Response Center process.^[10]

[edit] Antitrust behavior

The European Commission expressed concern over PatchGuard, thinking it was anticompetitive.^[11] However, Microsoft's own antivirus product, Windows Live OneCare, has no special exception to PatchGuard and will also have to be rewritten to use the new interfaces in Windows Vista.^[12]

[edit] External links

• The Truth About PatchGuard: Why Symantec Keeps Complaining
• An Introduction to Kernel Patch Protection
• Microsoft executive clarifies recent market confusion about Windows Vista Security
• Kernel Patch Protection: Frequently Asked Questions
• Windows Vista x64 Security – Pt 2 – Patchguard

[edit] References

1. ^ ^{a b c} Field, Scott (2006-08-11). An Introduction to Kernel Patch Protection. Windows Vista Security blog. Microsoft. Retrieved on 2006-11-30.
2. ^ ^{a b c d} Allchin, Jim (2006-10-20). Microsoft executive clarifies recent market confusion about Windows Vista Security. Microsoft. Retrieved on 2006-11-30.
3. ^ Kernel Patch Protection: Frequently Asked Questions. Microsoft (2006-10-03). Retrieved on 2006-11-30.
4. ^ Montalbano, Elizabeth. "McAfee Cries Foul over Vista Security Features", PC World, 2006-10-06. Retrieved on 2006-11-30.
5. ^ Symantec AntiVirus Corporate Edition: System Requirements. Symantec (2006). Retrieved on 2006-11-30.
6. ^ Jaques, Robert. "Symantec and McAfee 'should have prepared better' for Vista", vnunet.com, 2006-10-23. Retrieved on 2006-11-30.
7. ^ Wendlandt, Astrid. "Microsoft Is Not Trying to Block Access Says Kaspersky", eWeek, 2006-10-06. Retrieved on 2006-11-12.
8. ^ ^{a b} Fulton, Scott M., III. "Sophos: Microsoft Doesn't Need to Open Up PatchGuard", BetaNews, 2006-10-20. Retrieved on 2006-11-12.
9. ^ Hines, Matt. "Microsoft Decries Vista PatchGuard Hack", eWEEK, 2006-10-25. Retrieved on 2006-11-30.
10. ^ Gewirtz, David. "The great Windows Vista antivirus war", OutlookPower, 2006. Retrieved on 2006-11-30.
11. ^ Espiner, Tom. "EC Vista antitrust concerns fleshed out", silicon.com, 2006-10-25. Retrieved on 2006-11-30.
12. ^ Jones, Jeff (2006-08-12). Windows Vista x64 Security – Pt 2 – Patchguard. Jeff Jones Security Blog. Retrieved on 2006-11-30.