On TV.com: Why Is Everyone in TV High School SO OLD
BNET Business Network:
BNET
TechRepublic
ZDNet

October 10th, 2006

Symantec and McAfee should stop crying about Vista

Posted by George Ou @ 5:02 pm

Categories: Security, Vista

Tags:

George Heron who is the Chief Scientist at McAfee spoke out in this commentary on why he thinks "Microsoft is wrong on Vista security".  McAfee has been in full scale attack mode along with rival Symantec and even posted a full-page ad in the Financial Times against Microsoft locking down access to the Vista kernel.  Adobe and Symantec are lobbying sympathetic European Union regulators who are already trying to squeeze as money out of Microsoft as they possibly can Symantec and McAfee are essentially expecting Microsoft to bless the kernel modificationsto get tough on Microsoft in the area of document formats and kernel security.  But are these really legitimate complaints or just sour grapes?

But is there a bit of hypocrisy in these AV vendor's arguments?  Symantec openly argues that Vista Kernel protection can already be bypassed by Malware (though this loophole can be closed with page file encryption) and that the kernel protections only handicap Antivirus vendors.  Why pretend on the one hand that they're being "handcuffed" by Vista kernel protections and then say in the same breath that it doesn't stop Malware from modifying the kernel?  If it's so easy for Malware to modify the kernel as Symantec suggests, why doesn't Symantec simply modify the kernel using these same methods available to Malware instead of expecting Microsoft to provide a formal programmatic way of modifying the kernel?  Symantec and McAfee is essentially expecting Microsoft to bless the kernel modifications but if they really think modifying the kernel is such a great idea, they should just go ahead and do it and take responsibility for kernel stability.  If they don't want to take responsibility for modifying the kernel, then be quiet and work with the Vista antivirus APIs like Kaspersky.

Many people in the IT industry and computer users in general are sick and tired of Antivirus companies and you can tell that by the abundant negative feedback we get whenever the subject of Symantec and McAfee come up.  People are sick and tired of the resources taken up by Antivirus software and recent tests confirm that Antivirus software makes your PC crawl.  Ironically, Symantec and McAfee took the top dishonors by being the biggest resource hogs of all.  Furthermore, antivirus software will often make your PC more vulnerable to attack than if it didn't have any antivirus installed at all because malicious packages can be rigged to exploit the AV software itself.  It has always baffled me why someone would pay top dollars to have their PCs dragged down to a crawl and be exposed to even more security risks.  It is a well known secret to security experts that every bit of code you add to a system carries its own security risks and security software is no exception.

Having come from an IT consulting background, I personally attended their sales meetings as recent as last year and witnessed their sales tactics first hand.  The AV vendors would actually position their software as an alternative to Microsoft's Windows patches.  They openly boasted about the fact that they had clients who didn't patch their operating systems for a year.  The problem is that you're paying top dollars for a security solution to replace a free patching solution.  Furthermore, the effectiveness of AV solutions is limited to known patterns and known signatures and so-called "behavior based AV" doesn't really exist even though many AV vendors claim to be behavior based.  One AV vendor contacted me and told me their solution was proactive but when I asked them what zero-day attacks have they preemptively stopped recently and I never got a response back.

If any AV vendors will come forward and answer this challenge, I'd be happy to praise your product publicly if it can detect any of the zero-day attacks proactively.  I don't just mean sandboxing technology since I can already do that with proper permission lockdowns either, I want to see actual detection of a zero-day threat before any patches or updates are applied to the antivirus or IDS definition.

But is there an alternative to expensive, insecure, performance-draining Antivirus software?  There certainly is and it's free and will get easier to do with Windows Vista.  The Administrator accounts in Windows Vista are no longer like the Administrator accounts in Windows XP because they administrators are now sudo users.  Internet Explorer 7 running under Vista will run a virtual jail using something called Vista Protected Mode.  New group policies in Windows Vista can actually prevent even Administrative users from escalating code to administrator level and this can be set at a domain level for all users in an organization globally or by groups.  Even if a user is foolish enough to manually authorize a UAC prompt, the local or domain policy can prevent any kind of unsigned and untrusted code from escalating to root level permissions.

This is effectively a white-list security model where all code is untrusted by default unless it is from a trusted source whereas the Antivirus security model uses a black-list approach that trusts all code by default until proven guilty.  Permission escalation restrictions will prevent all Malware code from infecting the system unless there is an unpatched or undocumented code escalation exploit.  While that isn't perfect, we know that code escalation exploits aren't nearly as frequent as all the other kinds of software and social engineering vulnerabilities and they get patched fairly quickly so the window of risk is relatively small.  Compared to the black-list security model it is infinitely better.

So is there still a place for Antivirus software?  Sure, at the FTP/HTTP/SMTP gateway where it can keep a lot of the Malware off the network to begin with.  But it definitely stinks when it's on the PC and it stinks even more when it's in the kernel.  I'm sure the AV vendors will disagree with my assessment of the Antivirus industry in general and they're even free to modify the Vista kernel using undocumented methods, just don't expect Microsoft's blessing or mine.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 275 Talkback(s)
George Ou
You cheapskate Linux users sound like the Republican party's election campaign. All you know how to do is to run your negative mouths. If you think George said something wrong then address it. If y... (Read the rest)
Posted by: Winfan Posted on: 10/27/06 You are currently: a Guest | | Terms of Use
Be careful what you wish for  TonyMcS | 10/10/06
Choice / PatchGuard  D. T. Schmitz | 10/10/06
so there  D. T. Schmitz | 10/10/06
more  D. T. Schmitz | 10/10/06
and more  D. T. Schmitz | 10/10/06
Choice  D. T. Schmitz | 10/10/06
Choice  D. T. Schmitz | 10/10/06
Choice  D. T. Schmitz | 10/10/06
Which blog did you read Dietrich?  georgeou | 10/10/06
The Great  D. T. Schmitz | 10/10/06
you should mention the 'troll' in every post of yours  zzz1234567890 | 10/10/06
defcon!  D. T. Schmitz | 10/10/06
You're not so much a troll...  John Zern | 10/11/06
Yeh?  D. T. Schmitz | 10/11/06
Trolls  M.R. Kennedy | 10/12/06
Here you go  D. T. Schmitz | 10/10/06
And how . . .  jlhenry62 | 10/11/06
Writing to holes  Robert Crocker | 10/10/06
If they want to modify the kernel, they can  georgeou | 10/10/06
Is there any MS behavior would you find unacceptable?  Richard Flude | 10/10/06
I just tried Vista RC2, and it links to third party vendors first  georgeou | 10/10/06
funny, I got TrendMicro...  Arm A. Geddon | 10/11/06
Coincidence?  Robert Crocker | 10/10/06
Microsoft's product works with the standard API available to everyone else  georgeou | 10/11/06
Who is the real troll?  strubinsky@... | 10/13/06
The Obvious  D. T. Schmitz | 10/10/06
Paradigm shifting  IanX | 10/10/06
Agreed, it's the whitelist model versus the blacklist model  georgeou | 10/10/06
I fully agree it is insane.  osreinstall | 10/10/06
Running drop my rights on untrusted code is more acceptable to the users  georgeou | 10/10/06
It would be a pain in other ways also.  osreinstall | 10/11/06
You can always mess the system up more by deleting NTLOADER  georgeou | 10/11/06
I suppose you could hit it with a hammer too.  osreinstall | 10/11/06
Yep  jragosta | 10/11/06
Yeah  Grayson Peddie | 10/11/06
right....  adthom | 10/11/06
And maybe you could  zkiwi | 10/11/06
BS  toadlife | 10/11/06
Well...  zkiwi | 10/12/06
Well?  toadlife | 10/12/06
Thanks for your non-response  zkiwi | 10/14/06
Leave it to the Microsoft shills......  jragosta | 10/11/06
BeOS? Lol!  toadlife | 10/11/06
It was quite a while ago  jragosta | 10/12/06
You've got to be kidding me  toadlife | 10/12/06
Another one  jragosta | 10/10/06
Looks it is not going to work  Qbt | 10/10/06
AV vendors are disliked even more than MS  georgeou | 10/10/06
competition  zzz1234567890 | 10/10/06
Gates didn't believe in politics in 1999  georgeou | 10/10/06
RE: Gates  gtdavies33@... | 10/10/06
It's a known fact that they donated a lot of money to get the antitrust  georgeou | 10/10/06
Riiiiiiggghhhht....  jragosta | 10/11/06
Sure... absolutely no evidence  MacCanuck | 10/11/06
Left one out  jragosta | 10/11/06
I think it's very courageous of Microsoft  tombalablomba | 10/10/06
Same thing happens to OS X or Linux  georgeou | 10/10/06
Did i say anything about linux or OS/X?  tombalablomba | 10/11/06
"Whitelisted Code"  ddagolfr | 10/11/06
Uhmmm . . .  jlhenry62 | 10/11/06
no...  Monkey_MCSE | 10/11/06
No blinders . . .  jlhenry62 | 10/11/06
True statement  jragosta | 10/11/06
No.  jragosta | 10/11/06
FACT: A fresh Windows XP is a virus haven  plon | 10/11/06
Try an unpatched Linux install on the public Internet with no firewall  georgeou | 10/11/06
Too bad, George  jragosta | 10/11/06
uhm George  tombalablomba | 10/11/06
Is Apache part of Linux? It's news to me...  jinko | 10/11/06
Yet Apache runs on more than Linux  nucrash | 10/11/06
You have to remember...  jragosta | 10/11/06
I was wondering that . . .  jlhenry62 | 10/11/06
I'll make you a challenge  georgeou | 10/11/06
WIndows XP not Windows XP SP@  plon | 10/11/06
You don't need SP1 or SP2 to have a firewall  georgeou | 10/11/06
Really?  jragosta | 10/11/06
re: Really?  Badgered | 10/11/06
Simple answer to that  voska | 10/11/06
Yes really, circa 2002  georgeou | 10/11/06
jragosta, for once he's right  V-Train | 10/11/06
Wow  jragosta | 10/11/06
Hmmm, 1991  voska | 10/11/06
boot sector viruses didn't need manual execution  georgeou | 10/11/06
2006-10=1996 :)))))))  plon | 10/11/06
Windows XP came out in 2006?  georgeou | 10/11/06
read your above post  plon | 10/11/06
I'd rather  zkiwi | 10/11/06
ATENTION : VIRUS ! Who must be blamed?  plon | 10/12/06
Wrong, again, George  jragosta | 10/11/06
You are full of cattle cakes.  osreinstall | 10/11/06
AdAware in offline mode isn't too bad  georgeou | 10/11/06
Something running in memory that cannot catch the unknown is rediculous.  osreinstall | 10/11/06
No, MSCONFIG is the best  georgeou | 10/11/06
I am used to Services under Administrative applet.  osreinstall | 10/11/06
Too late  jragosta | 10/11/06
not really...  darthgummibear | 10/11/06
It doesn't matter  jragosta | 10/11/06
This is ********  yaron@... | 10/11/06
Zonealarm has been remotely exploited, XP Firewall has not. That's a fact.  georgeou | 10/11/06
you believe that?  darthgummibear | 10/11/06
Offer some proof then  georgeou | 10/11/06
And don't forgot  tshinder@... | 10/11/06
ZoneAlarm Security ...  mustang_z | 10/11/06
Those are some pretty big words you're using...  rock06r | 10/12/06
This is Bull ****  yaron@... | 10/11/06
Zonealarm has been remotely exploited, XP firewall never  georgeou | 10/11/06
try finding a newer link George  Arm A. Geddon | 10/11/06
They need to work with the new API  georgeou | 10/11/06
re:They need to work with the new API  Arm A. Geddon | 10/11/06
That's silly  jragosta | 10/11/06
Especially when you consider the ....  rock06r | 10/12/06
Still using XP  ImUpAbvIt | 10/11/06
Their business model is being shut out...  nucrash | 10/11/06
Not quite  jragosta | 10/11/06
If George could only buy a clue... would he know what to do with it?  BeGoneFool | 10/11/06
Jealous?  ImUpAbvIt | 10/11/06
Psychological Projection!  mustang_z | 10/11/06
You're confused  zkiwi | 10/11/06
No, *you're* confused  M.R. Kennedy | 10/12/06
Whatever  zkiwi | 10/13/06
You left out one thing  tic swayback | 10/11/06
Hear, Hear!!! nt  jlhenry62 | 10/11/06
Do you work for M$  DarthRidiculous | 10/11/06
Symantec and McAffe should be lampooned  nucrash | 10/11/06
Better Watch it, nucrash!!!  jlhenry62 | 10/11/06
I said free methods  georgeou | 10/11/06
A mind is a terrible thing some times...  mustang_z | 10/11/06
I feel an good argument in here....  rock06r | 10/12/06
Gee-whiz!  Punchey | 10/12/06
Ford and Chevy must stop using internal combusion engines  No_Ax_to_Grind | 10/11/06
Please No_Ax....  Badgered | 10/11/06
Hey Axey  Shelendrea | 10/11/06
Hey Shel  osreinstall | 10/11/06
Well, THAT'S all I need . . .  jlhenry62 | 10/11/06
And Kyoto activists (nt)  voska | 10/11/06
George, I agree for once.....  linux for me | 10/11/06
Good article!  daniel.piette@... | 10/11/06
Vista whatever, need more Mac  scole3@... | 10/11/06
I love you MAC users, You follow so blindly!!!  RynUK | 10/11/06
I love you WIndows Users  Shelendrea | 10/11/06
Hey, Shel . . .  jlhenry62 | 10/11/06
Get um Shel  perryroyce@... | 10/11/06
LOL  Shelendrea | 10/11/06
Grand Da  perryroyce@... | 10/11/06
I believe  Shelendrea | 10/11/06
Ever??  techboy_z | 10/11/06
How about this  jragosta | 10/11/06
Better not let the . . .  jlhenry62 | 10/11/06
That would be wrong  jragosta | 10/11/06
Leave the kernel alone  Anton Philidor | 10/11/06
I think you may have missed my point  georgeou | 10/11/06
Microsoft's duty to put McAfee/Symantec out of business  Knorthern Knight | 10/11/06
I agree - partly  jragosta | 10/11/06
Now let's think about this.  georgeou | 10/11/06
No, George  jragosta | 10/11/06
George Ou, I have to agree with you completly.  Grayson Peddie | 10/11/06
I never recommended any AV solution  georgeou | 10/11/06
Since I never get any viruses, I also don't run AV either.  Grayson Peddie | 10/11/06
Unplug Windows  Chad_z | 10/11/06
Yeah, can you say "VM"?  techboy_z | 10/11/06
100% of the issues can be dealt with by best practice on Windows  georgeou | 10/11/06
give me a link, please  Ipsenol | 10/11/06
I'm assuming you need a how-to...  dave.leigh@... | 10/11/06
Silly  jragosta | 10/11/06
re: Silly  dave.leigh@... | 10/11/06
Riiiiggghhhhtt  jragosta | 10/12/06
Yeah, right.  dave.leigh@... | 10/12/06
Somehow I doubt that  zkiwi | 10/11/06
Yes.  dave.leigh@... | 10/11/06
Scary  zkiwi | 10/11/06
No.  dave.leigh@... | 10/11/06
Because...  zkiwi | 10/11/06
Pretty good run down  georgeou | 10/11/06
ROTFLMAO  jragosta | 10/11/06
The solution is:  MacGeek2121 | 10/12/06
100% of the issues can be dealt with by unplugging the system too  ghastly | 10/13/06
Well, thanks for that...  mustang_z | 10/11/06
That's precious...  rock06r | 10/12/06
Precious  jragosta | 10/12/06
George Ou: Stop writing about Tech  nomorems | 10/11/06
George Ou  Winfan | 10/27/06
I agree  nightman45 | 10/11/06
This is a common opinion  georgeou | 10/11/06
have to agree.  darthgummibear | 10/11/06
AVG free edition is the most light weight  georgeou | 10/11/06
not me personally...  darthgummibear | 10/11/06
How I deal with those people  georgeou | 10/11/06
AntiVir is free and good too but...  Arm A. Geddon | 10/11/06
linux...  darthgummibear | 10/11/06
here's a few links that might answers some of your questions.  Arm A. Geddon | 10/11/06
Oh Really??  jasprey | 10/11/06
Thank you George  jasprey | 10/11/06
You're welcome  georgeou | 10/11/06
Other than.....  jragosta | 10/11/06
I'm a Mac user...  MacGeek2121 | 10/12/06
Check Your Facts  SecurityGeek_z | 10/11/06
Well said! And thanks....  techboy_z | 10/11/06
Sorry, that's just plain wrong  georgeou | 10/11/06
*sigh*  zkiwi | 10/11/06
Sorry  jragosta | 10/12/06
For Everyone?  dkunzman@... | 10/12/06
Sounds like a good reason not to touch the kernel  georgeou | 10/11/06
And as part of the public  zkiwi | 10/11/06
Well, you can believe what you want  georgeou | 10/11/06
And you have any evidence  zkiwi | 10/11/06
I already refuted his points  georgeou | 10/11/06
Wrong George  zkiwi | 10/12/06
Oooh! George!  nomorems | 10/12/06
Ok, point by point  georgeou | 10/12/06
Anti-Virus Insecurities  M.R. Kennedy | 10/12/06
LOL, another reason to use Free AVG  georgeou | 10/12/06
Ummm..how about not loading Windows!  nomorems | 10/12/06
Let's Not Breathe A Word About OS X Flaws...  M.R. Kennedy | 10/12/06
Your point?  jragosta | 10/12/06
Another factor where AV makes you less secure  georgeou | 10/12/06
Hmmm...  zkiwi | 10/12/06
Alright, time to stop feeding you  georgeou | 10/12/06
Whatever George  zkiwi | 10/12/06
re: Symantec and McAfee should stop crying about Vista  Arm A. Geddon | 10/11/06
Ok now  zkiwi | 10/11/06
Please take that statement in context  georgeou | 10/11/06
Gotcha  zkiwi | 10/11/06
SecurityGeek is spreading lies  georgeou | 10/11/06
George  zkiwi | 10/11/06
Don't take my word for it, look at the leading researcher's words  georgeou | 10/11/06
Blah blah blah  zkiwi | 10/11/06
Three problems  jragosta | 10/12/06
Symantic and McAfee Crybabies  jasprey | 10/11/06
Vista hardware requirements are not bad  georgeou | 10/12/06
When are you going to learn?  jragosta | 10/12/06
It will be interesting to compare...  zkiwi | 10/12/06
Question: I blew away all my security software and went with free AOL 9.0  rayted32 | 10/12/06
Incorrect Paradigm  dkunzman@... | 10/12/06
AV Need  dkunzman@... | 10/12/06
Anyway, I hate McAfee and Symantec's products  batia | 10/12/06
It's not about detection  georgeou | 10/12/06
Why do you MS detractors object?  Punchey | 10/12/06
Why do YOU object....  jragosta | 10/12/06
I don't, so try using logic, it works great.  Punchey | 10/13/06
Maybe you should read your own post.  jragosta | 10/16/06
Well said  Fujikid2 | 10/15/06
sudo?  Kill-the-hype | 10/12/06
Be careful when making criticisms  georgeou | 10/12/06
Sudo  Ivan21 | 10/13/06
If Vista is secure, Symantec will worth near 0  sharikou | 10/12/06
The verdict's still out on this one, George  ubwete | 10/13/06
The upcoming rollout of Microsoft's Vista Ultimate  muffquentin | 10/13/06
A follow up to my comments about the new Vista  muffquentin | 10/13/06
Anti-trust concerns yields to Vista Security Changes  D. T. Schmitz | 10/14/06
You're missing something  jragosta | 10/14/06
Not missing anything  D. T. Schmitz | 10/15/06
Just wondering.....  jragosta | 10/15/06
Let's see  D. T. Schmitz | 10/15/06
Pretty low coming from you  georgeou | 10/15/06
Very accurate  jragosta | 10/15/06
Close only counts in Horse Shoes  D. T. Schmitz | 10/15/06
Article was an opinion, not a prediction  georgeou | 10/15/06
It cuts both ways  D. T. Schmitz | 10/16/06
Than .....  plon | 10/16/06
That goes beyond an opinion Dietrich  georgeou | 10/16/06
Olive Branch  D. T. Schmitz | 10/16/06
Ok thanks  georgeou | 10/16/06
Excellente!  D. T. Schmitz | 10/16/06
Yes, we know  jragosta | 10/16/06
You can answer your own question  georgeou | 10/16/06
Really? Where?  jragosta | 10/17/06
Ridiculous  Fujikid2 | 10/15/06
Please don't confuse things  georgeou | 10/16/06
Trust Microsoft for Security  rmkeeler@... | 10/16/06
People who say that are usually trying to sell something  georgeou | 10/16/06
What a shill.....  jragosta | 10/16/06
Security companies should be BREAKING INTO my kernel?  giskard | 10/22/06
Where I stand  jragosta | 10/22/06
you misunderstand me  giskard | 10/22/06
Fair enough  jragosta | 10/22/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement
Click Here

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    SmartPlanet

    Click Here