SysChat is a free online computer support community. Ask questions, share resources, contribute knowledge and discuss technology. Join our growing community to access all features. Register Now!

SysChat » Tutorials » Security » Windows Vista: PatchGuard

Security

Guides and tutorials on computer security, antivirus, antispyware, malware, parental control, and privacy protection

Comment
 
LinkBack Tutorial Tools
Windows Vista: PatchGuard

Windows Vista: PatchGuard

Published by KarlM
03-03-2009

Default Windows Vista: PatchGuard

The Vista kernel (64-bit) is supposedly impenetrable to modification. This is very significant as kernel-mode rootkits are becoming increasingly widespread.

What is a Kernel Mode Rootkit?

This type of rootkit is a malicious program. It camouflages its existence within the system through amending kernel data – a set of utilities that allows the masking of another program’s presence.

What does PatchGuard do?

The PatchGuard utility observes and manages changes to the service table, as well as the kernel descriptor. It seems that this resolves the problem of Trojans cloaking their presence within the system. Upon close observation, however, PatchGuard is not capable of considerable security versus rootkits. It is characteristically susceptible, as shown by the host of documented means for disabling any security.

PatchGuard’s main weakness stems from its architecture – the programming that ensures security exists at the same stratum as the programming developed to defend. The ‘defense’ has the same level of privileges as a prospective invader, and thus prone to evasion or disabling. Currently, there are many recognized ways to circumvent PatchGuard.

PatchGuard’s level of protection against rootkits that change the kernel is problematic. This security does not guard the system against other kinds of rootkits as well. PatchGuard management is applicable to inert kernel components but does not shield dynamic configurations – objects outside the ‘kernel’ level.

One such rootkit is the FU, which operates by changing dynamic structures. Rootkits that employ this technology position themselves below kernel level, and are therefore, inaccessible.

PatchGuard’s fundamental weakness is due to its function and protection being at the same layer. Drivers successfully launched by malicious programs will be able to shut down PatchGuard.

Preventing alterations to the kernel is practical, as valid software cannot change the kernel for any reason. This improves the overall stability and security of the system.

Microsoft’s efforts at fortifying overall system stability have rendered the OS somewhat ineffective. By making kernel access unfeasible, the company has made it impractical for security solution entities to integrate greater product functionality. This has resulted in an inability to take advantage of the entire spectrum of antivirus tools that vendors have developed.

This issue is apparent not only with tools that defend against malicious rootkits, but also dynamic protection technologies that identify hidden threats (both of which were incorporated in tools for earlier OSs. Virus creators now have free rein - they do not need to directly override PatchGuard as rootkits will do the job.

In the realm of Vista kernel security, note that driver signing features and PatchGuard are functions available only on 64-bit platforms. This equipment is, currently, not as widespread as 32-bit. In addition, the Vista x86 OS does not provide specific protection against rootkits.


Comment





Similar Threads
Tutorial Tutorial Starter Category Comments Last Post
Microsoft Office professional 2007 trial version linda General Software 8 02-23-2009 05:33 AM
Dual Boot XP and Vista with XP already installed with XP drive missing after install kilmako Operating Systems 0 12-05-2007 02:38 PM
Top Ten New Features in Windows Vista Sami Windows 0 01-16-2007 04:43 PM
Apple Tiger vs Windows Vista Sami Articles 0 06-26-2006 02:08 PM
Windows Vista - a Welcome Change! Sami Articles 0 02-01-2006 08:29 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are on



» Ads



1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54