Robert McLaws: Windows Edition

Blogging about Windows since before Vista became a bad word

The Truth About PatchGuard: Why Symantec Keeps Complaining

Symantec has definitely been the target of my wrath as of late, and the time has now come to address the third and (hopefully) final paper (at least from Symantec) critical of Microsoft’s next big thing. This time, the target is PatchGuard.

PatchGuard effectively blocks any changes to the OS kernel, and stops unsigned kernel-level code from executing. Why? The answer is simple. The kernel is the lowest level of code in the OS. Its stability is critical to the stability of your system. Microsoft recognizes this, and now kernel-level code must go through extremely rigorous testing as part of the Security Development Lifecycle. Anything that hasn’t gone through that process does not get executed at the kernel level.

So understanding that no one but the Windows Core Team should be putting OS code in the kernel, Microsoft revoked everyone’s free pass into the kernel. It’s that simple. Some people would argue that this is a bad thing, because then we have to wait for Microsoft to patch problems as they arise. They argue that Microsoft is too slow to do this, and that they should be able to “provide this service” to Microsoft customers.

But here’s the $64,000 question: How many of you have installed “security” products from Symantec, McAfee, and others… only to find your system is much slower than before you installed it? I bet it’s a lot. Would you believe that your system is less secure too? Microsoft has something to say about this:

Q. What problems are associated with kernel patching?

A. Patching fundamentally violates the integrity of the Windows kernel by replacing actual kernel code with unknown third-party code. As a result, patching introduces problems in three primary areas: reliability, performance and, most importantly, security.

Reliability. The Windows kernel is tested extensively before any release of the operating system to ensure a high level of quality. Because patching replaces kernel code with unknown, untested code, there is no way to assess the quality or impact of the third-party code. Furthermore, kernel code is by its nature complex and critical to system stability, so bugs in unknown code can have a significant negative impact on system stability. An examination of Online Crash Analysis (OCA) data at Microsoft shows that system crashes commonly result from both malicious and non-malicious software that patches the kernel. (Emphasis mine)

Performance. Kernel performance is critical to the overall performance of the operating system. When low-level system calls are intercepted and unknown code is executed before control returns to the kernel, performance becomes unpredictable. Poorly designed unknown code can cause significant performance issues for Windows users.

Security. Patching results in unknown code executing in kernel mode, so it is increasingly an avenue of attack by malicious software.

Skywing from Uninformed (yes, the same Skywing that broke through PatchGuard on Windows XP x64 in the first place) explains why PatchGuard is a good thing and how anti-virus vendors are actually writing terrible and ridiculously unsafe code that has the potential to harm your computer more than it helps. His solution? The same as Microsoft’s: use documented APIs instead of undocumented hooks. (He decompiles code and gives specific examples of where a couple security vendors are really screwing the pooch in this area).

But this is all chaff to distract you from the real reason Symantec is blowing their horn so loudly. In’s report on the issue (“Windows defense handcuffs the good guys”), the Symantec spokesperson all but revealed the true reason for these reports:

"It seems a bit disingenuous of Microsoft. They are getting into the security market and are disallowing this whole class of security products that they don't have," McCorkendale said. "It does not feel like a level playing field at that point."

McCorkendale stopped short of saying that Symantec would sue Microsoft or complain to antitrust authorities. However, Yankee Group analyst Jaquith believes that step is getting closer, especially if Microsoft were to give its own security products a way to bypass PatchGuard.

AH HA! I get it now! PatchGuard is really there so nobody but Microsoft can build Windows security products. Looks like someone has their tin foil hat on too tight. Symantec is trying to build up a case to try Microsoft as being anti-competitive in the court of public opinion. But this line of reasoning is pure crap. None of Microsoft’s other products have access to the kernel, either. Jeff Jones from Microsoft Security dove into it further:

I went to the Host Security product team and asked them if they got to hook the kernel - they did not.  They said that the x64 version of their product for Windows Vista would use the defined interfaces, just like any 3rd-party security product.  They said they'd have to re-implement certain aspects from the way things were previously done.

Next, I went to the Windows Firewall product team and asked them if they got to hook the kernel.  The said no.  A new Windows Filtering Platform (aka defined interfaces) had been introduced for Vista, which they would be using just like everyone else.

The Windows Vista Security Blog has more:

These solutions were designed with reliability and long term supportability in mind, and also provide a means for multiple products to co-exist without the conflicts that kernel patching could cause. We have been working with our security partners and other types partners for almost 2 years to assist them in making their solutions compatible with our current x64 architecture-and we are working with them even more closely as the Windows Vista launch approaches. If your application or driver must perform a task that you believe cannot be accomplished without patching the kernel, contact your Microsoft representative or for help in finding a documented alternative. (Emphasis mine)

Microsoft says they'll help you find the right answer... So what's the problem? Anyways, Microsoft is not without its own jabs in this argument. In response to Symantec's incessant babbling about the insecurities in old beta builds, CNET has Microsoft's reaction:

Microsoft thanked Symantec for its feedback, even though the software giant called it "unusual for a partner to provide this amount of analysis and publish its findings on a beta version of Windows Vista."

As if it wasn't already obvious. Look, Symantec has every reason to be worried in this space. Windows Live OneCare grabbed 15.4% marketshare in its first month, and 10.1% of that was from Symantec. Why? Because it's less bloated then Symantec's product.

The problem Symantec has is not in Vista's "virgin network stack" or that UAC might have been improperly designed in older builds. Symantec is pissed that, in order to build a product for Windows Vista, they're going to have to totally rewrite their security suite. And they might even have to put some effort into doing it right. And that's a problem for a company who has been profiting from Microsoft's security problem for the last 15 years. Now that Microsoft has gotten their security act together, Symantec can't be innovative, and has to resort to inventing problems to stay relevant.

The bottom line is, I'd rather Microsoft keep everyone out of the kernel , good code, bad code, or indifferent. I think they made the right decision, and I think that all security software will be better for it. If only Symantec & Co. would just quit bi%^*ing and start writing some decent code already...



  • Here's my take on this whole thing...  Cry me a river McAfee, Symantec, and all you other third party vendors of "anti-virus" products!  I look at it this way - let Microsoft take complete ownership of the kernel!  Make them ultimately responsible to fix the holes that exist - not some third-party entity!

    I have used McAfee and Symantec at home in the past, and found that the use of their products puts a serious dent in my computers' performance - call it services bloat or whatever.  It wasn't until I got away from these purveyors of resource hogs, and tried EZ-Trust (CA) and now OneCare, that I see that your resident AV software doesn't have to drag your system down with it to be effective.

    I am a SysAdmin, actually the only systems person in my company, and yeah - I use Symantec Corporate.  The choices out there are plenty, but they have a reputation for the coroporate side - and the higher up's work on that regard.  However, guess what I am running on my work laptop - OneCare.  I can't afford the overhard of the Symantec client.

    Microsoft owns the code, let 'em fix it.  Do I trust Microsoft to do so quickly, and without impact to my system?  Nope.  But I don't trust these other guys either.  I'd much prefer to stare one devil in the face and hold them accountable, than a trio of other actors.

    October 4, 2006 10:32 AM
  • Symantec seems to think that Vista's User Account Control prompts people too much, and wants to make

    January 10, 2007 12:48 PM
  • January 18, 2007 3:18 AM