Robert McLaws: Windows Edition

Blogging about Windows since before Vista became a bad word

Gartner Has Officially Jumped the Shark

Joris Evers from C|Net covers a Gartner report that says that HIPS solutions will not work on Vista x64. But wait a second, didn't just post an excellent article about how the Sophos antivirus product works like a charm on Vista x64, without interfering with PatchGuard?

In an interview with BetaNews on Friday afternoon, Sophos senior security analyst Ron O'Brien suggested that, even though his company plans to participate with Microsoft's program to build a security services API for Windows Vista SP1 -- and perhaps because of that fact -- Microsoft does not need to create a bypass mechanism for its upcoming PatchGuard kernel lockdown service, as other vendors have recently insisted.

"Two of our largest competitors, McAfee and Symantec - which clearly have anti-virus products that compare to Sophos - have publicly complained that being locked out of the Vista kernel somehow prevents them from being able to innovate," O'Brien noted.

"I would say that the opposite is really true: that by not focusing on having Microsoft provide us with the means to access the kernel, and in fact using the APIs that have [already] been provided by Microsoft, we are not experiencing any problems with PatchGuard for our latest HIPS technology, Sophos Anti-Virus, or any of the other aspects of our security offering for either 32-bit or 64-bit versions of Windows Vista."

By HIPS, O'Brien is referring to Sophos' current Host Intrusion Prevention System, a version of which is being planned for the initial release of Vista. The system uses heuristics to examine the behavior of software that may not have been identified as viruses by way of signature, to determine whether it is likely to negatively impact the system.


Sophos' Ron O'Brien contends, however, that this is not a problem, at least from his company's perspective. "I would say that other vendors may not have coded their solutions with 64-bit Vista in mind," he told BetaNews, "but because we've taken a slightly different approach to HIPS, focusing more on identifying bad behavior by analyzing code before it executes, we have been able to make do with the interfaces that have been provided by Microsoft, rather than trying to subvert the kernel. That's why we're ready for 64-bit Vista, and other companies are not."

Wow. See, this is exactly what I've been saying. McAfee and Symantec are using FUD to cover the fact that their software sucks and they're too late to fix it, while forward thinking companies like Sophos have already adapted. It looks like with Scott's article (excellent reporting, BTW), Sophos gained more than a few new customers. Myself included.

If it isn't plain as day that Gartner has an agenda other than finding facts, I don't know what will. Someone please show these guys the door. Looks like they can join the Irrelevance Club that John C. Dvorak and Paul Thurrott started.

Posted on Oct 20 2006, 04:14 PM by Robert McLaws
Filed under:


  • List244 said:

    Well, this is all very true. But, I must say myself, I was quite shocked when hooking no longer worked. I now have some non-functional code, which once ran great. However, I will not complain, I think it is good that Microsoft has stopped this.. overall.

    October 22, 2006 9:55 AM