McAfee and Symantec get vocal about Vista - but do they *really* have our best interests at heart?
This article is a joint effort between Sandi and Walter Clayton (thanks Walter).
I am getting seriously grumpy at McAfee and Symantec. They are spouting some absolute rubbish in their fight to maintain access to the Windows Kernel in Vista x64 bit.
Being in Australia I don't have access to the full page advertisement, but I do have access to the MSN interview with the Chairman and CEO of McAfee:
http://video.msn.com/v/us/v.htm?g=491dd294-084f-45bb-8e29-b8570a026430&f=rssmoney&fg=rss&f=15/64rssmoney
McAfee's CEO says in the video that McAfee are "educating" users? Rubbish!!!
McAfee are *not* educating users, not when they spout rubbish like their allegation that being locked out of the kernel is going to "destroy the internet experience".
Yes, users are expecting a "highly available and reliable internet experience without bugs and worms and attacks" but guess what - McAfee and Symantec are *not* giving you that experience, nor are they protecting you from all bugs, worms and attacks.
McAfee and Symantec have had years to prove that they can reliably protect users from all of the bad guys out there. As McAfee said, they have had access to the kernel for "10-15 years". Yet, despite all those years of access, Symantec and McAfee users are not being fully protected from "bugs, worms and attacks". I have been at the front line of the malware fight since 2000 and I can tell you that McAfee and Norton (and if I am to be honest, all other antivirus applications) have not been providing the 100% protection their users require. Machines still get infected. Reality is that the constant game of 'catch-up' that is the end result of signature and heuristic scanning IS NOT PROTECTING USERS.
The bad guys have been upping the ante for years and it is time to say ENOUGH!! The bad guys use hidden services, they use rootkits, they dig their tendrils so deep into a system it is extremely difficult to get that stuff out. It has to stop.
If McAfee can get to the kernel, and Symantec can get to the kernel, then so can the bad guys. You do not want this.
McAfee and Symantec can still offer products for Windows Vista but they will have to change the way that they code their product. They will have to use the provided APIs instead of hacking the kernel.
------------------------------------------------------------------
Walter says:
Referencing:
http://www.stepto.com/default/log/displaylog1.aspx?ID=258 and http://www.thechannelinsider.com/pages/article.aspx?articleid=190351&page=1&pagetype=article
First let's look at things from a historical stand point. Let me start off by saying, don't go glassy eyed yet. McAfee, Symantec and F-Prot (as of this writing) have issues and those issues are totally bogus as I'll explain.
When Microsoft got into the operating system business things were quite a bit simpler and presumed safer. Trusting the application that was running was actually not an option but really irrelevant for hardware reasons. In those days the hardware did not and could not support any kind of sanity checking. Setting aside the technical questions of whether or not MS-DOS and Windows v1 through v3 were just a file managers with a GUI or real operating systems, the entire intent of Microsoft operating systems, from MS-DOS through Windows 1, 2, 3, Windows NT, 95, 98, SE, Me, 2000 and XP has been to enable users and developers to run applications and devices of their choice in a predictable manner. Microsoft simply provided a consistent way for application developers to do their jobs to make life easier for users. They did this by providing an "abstraction" layer, although that term wasn't widely used until recently. Abstracting, in this instance, simply means that there is a common interface between the application developer and the hardware. This is important for application developers since otherwise application development would be a nightmare. Without the abstraction layers, and yes there are multiple, the application would have to be coded to handle all possible hardware combinations. With abstraction an application can be written that simply says "Read a key then display it". Without the abstraction, let's just say it gets rather convoluted.
Consider also that up until the mid 90's PC based hardware lacked certain features that was available only on non-Intel based systems that allowed the operating system to attempt to protect itself from inadvertant tampering (i.e. buggy code much less malcious tampering). Why is non-Intel a factor? Microsoft and IBM were partners at the time and IBM made the decision to target PCs for Intel hardware. 'Nuff said without getting rather deep from a technical stand point.
At the time that McAfee was founded and Norton Anti-Virus was first offered, developers had unrestricted access to the hardware and the system or kernel code. At this time, there was no way for the system to protect itself and this wasn't considered necessarily a "bad thing" since Microsoft was simply enabling developers. And if that meant the developer needed to suppliment or replace a Microsoft supplied function then so be it. Personally I have done such myself since I found it, at the time, faster to take over direct control of the keyboard and display hardware in most instances. But keep in mind that at the time Microsoft couldn't do much to enforce a decision otherwise. [Input by Sandi: remember, back in those days it simply didn't occur to anybody that one day there would be an entire crime-based industry dedicated to compromising, and using, PCs for nefarious purposes like creating zombie armies to attack Web sites and networks, and send spam].
There is some confusion as to when the first real PC based virus was discovered. Suffice to say that it was in the early-mid 80's although viruses for other systems existed prior to that.
So what were the (potential) AV vendors of the time to do? They knew that the system could not practically protect itself.
They decided that the solution, which was the only solution at the time, was to trump the virus writers. They figured they'd hook the system before the nasty thing hooked the system. Ta-da! Oops! The nasty things started to hook the system before the AV vendors got into play. Then the AV vendors got wise and hooked the system before the nasty, etc. It's been a never ending cycle with the AV vendors playing catch-up to the malware vendors. But the central thing is that all parties involved, both the bad guys as well as the good guys have been able to do what they wish with the hardware and system. As it was put on the the Stephan Toulouse blog, "nuclear detante" has set in. He owns the machines who hooks the system at the lowest level. And the AV industry as a whole is struggling with that issue.
All through the history of Windows with the exclusion of two current versions, this detante has been allowed for the simple reason that Microsoft has been bending over backwards to insure maximum compatability between different versions of windows.
Part of that intiative has resulted in leaving the system exposed even after hardware changes made it possible for Microsoft to start closing some of the holes that the malware writers, and yes, the AV vendors as well were exploiting.
Now fast forward in time to 2004 (approximately). Microsoft releases versions of Windows 2003 and XP that support the full feature set of latest AMD/Intel processors. These are 64 bit processors as opposed to the 32 bit processors that have been around since the days of Windows 95/NT (at the least). This is signficant for a couple of reasons. First, there is hardware support that prevents some of the more classic forms of hacking a system in the form of buffer overruns. This is Data Execution Prevention AKA DEP. Secondly, it gave Microsoft a clean "line in the sand". What DEP does is minimizes the ability of mal-ware to execute from unexpected locations. What the "clean line in the sand" implies is that there is enough architectural differences between 32 bit and 64 bit applications that Microsoft can pretty much ignore a lot of backwards compatability. Which means they can now say "enough is enough and you shall not hook the system anymore".
Keep in mind the following:
This technology has been in production Microsoft operating systems since 2004. Symantec, McAfee and F-Prot have or will soon have solutions that run in the 64 bit paradigm and only the 64 bit paradigm prevents them from screwing with the hardware and altering the kernel on the fly like malware does.
Microsoft has intentionally decided that they will allow the 32 bit version of Vista to be exposed to kernel hacking. This way Symantec/McAfee/F-Prot can continue their game of "nuclear detante", or "cops and robbers" to their heart's content. [Input by Sandi: I am so not happy about this - I'd have preferred Microsoft to stick to their guns on this.]
Due to compatability reasons on the part of OEMs, 32 bit Windows vista will be the standard version of windows installed for a while. This means that Symantec/McAfee/F-Prot can still root-kit the system rather easily just as the mal-ware writers can (and it's guaranteed that the bad guys will win). As long as Symantec/McAfee/F-Prot refuse to grow up and face reality in the rather rare 64 bit world, they can still play "cops and robbers" in the rather predominate 32 bit environment.
The issue revolves around the fact that Symantec/McAfee/F-Prot are unwilling to compete on a level playing field. They do not want to change their paradigm even though they get hacked via the paradigm to which they cling so tightly.
------------------------------------------------------------------
Back to Sandi.
I have also seen a PDF copy of a statement released by McAFee:
http://mcafee.com/us/local_content/misc/vista_position.pdf
Not surprisingly, the statement by McAfee not only contains factual errors, but will likely cause unnecessary FUD (fear, uncertainty and doubt). There are, however, several respected people countering the FUD with a big dose of reality via blog entries and online interviews. I strongly recommend that you read each blog entry and interview in its entirety. They all have very compelling arguments, and very important information that will help you decide for yourself just how honest McAfee and Symantec are being about their reasons for complaining about the kernel lockdown in Vista x64.
Let's start with Stephan Toulouse - Security Program Manager at Microsoft:
http://www.stepto.com/default/log/displaylog1.aspx?ID=258
Next, let's listen to Rocky Heckman, an ex Security MVP who is also an CISSP and MSCD and who is undertaking a PhD research into secure software development (in other words, he really really REALLY knows what he's talking about):
http://www.rockyh.net/Posts/Post.aspx?postId=6d119600-53a9-4bf4-b491-2b04127f4022
"This doesn't mean that AV vendors can't still write AV products that work, it just means that they have to use the APIs provided rather than hacking the kernel itself. It appears that they are angry because now they have to interact with the kernel like everyone else.
Yeah it sucks if you have to re-write the way your code interacts with the OS, it means work. But you'll be able to do the same things you did before using the right APIs."
Moving right along - here is Jeff Jones - Strategy Directory Security Technology Unit at Microsoft:
http://blogs.technet.com/security/default.aspx
Then, an interview with Ben Fathi, corporate vice president of the company's Security Technology Unit, in Redmond, Washington:
http://www.thechannelinsider.com/article/Microsofts+Fathi+Responds+to+Vista+Security+Concerns/190351_1.aspx
FOllow that with Harry Waldron - a Security MVP who provides security news, articles, and best practices for several technical forums, including: McAfee, My IT Forums, Aumha, Calendar of Updates, MVS Help Forums, CNET, Tech Republic, and Bleeping Computers.
http://msmvps.com/blogs/harrywaldron/archive/2006/10/05/Windows-Vista-_2D00_-Should-security-products-have-access-to-the-kernel_3F00_.aspx
Finally, let's give the last world to the highly respected Jesper Johansson, until not long ago a Senior Security Strategist in the Security Technology Unit at Microsoft and now Principal Security Program Manager at Amazon.com:
http://msinfluentials.com/blogs/jesper/archive/2006/10/04/Security-Vendors_3A00_-Microsoft-is-making-Vista-Too-Secure.aspx
"In a sense, [McAfee and Symantec] have built their business on protecting users of Windows from Microsoft, and Microsoft healing the patient cuts into their business doing the same. As Microsoft's Security Chief Ben Fathi said, the security vendors want Microsoft to "keep the patient sick," and by extension, keep customers at risk, so that the security vendors can keep charging for the healing."
In my personal experience, as somebody who has been fighting malware since 2000, security vendors may charge for the healing, but they are NOT doing a good enough job. You just have to read some of my entries on this very blog to see how much the security vendors are missing, and what they are not removing.
The bad guys are getting past McAfee and Symantec and others, and if the “Big Two” were *truly* concerned with user security, they would not be fighting this change, which is going to make such a big difference in the malware fight by stopping the bad guys *before* they can do some of their most damaging and difficult to remove tricks. They’d be working on changing their code to work with what is going to be a quantum leap forward in security improvement for users.
Prevention is better than cure. Signature based scanning, heuristics and adding detection for new malware *after* it has already been released and has started infecting machines around the world, isn’t working. I need help to stop the bad guys from getting their tendrils so deep into the OS that it is getting more and more difficult to remove. It is getting to the stage where reformatting is sometimes the only option for systems infected with the worst malware, even with McAfee, Symantec or other security vendor's products installed, and that is simply not good enough.