Remember when Microsoft, Symantec and McAfee went at it because Microsoft wouldn't let them have kernel access for their Anti-Virus software? This was why:
Source - Ars Technica
Microsoft Security Essentials (MSE), the software giant's free antimalware solution, is one of the few products that is not affected by the recently rediscovered method for disabling security software on Windows. MSE does not use SSDT hooks, so its real-time protection cannot be disabled via this method.
When the report was first published, we noticed that MSE was not on the list of affected products and contacted Microsoft for clarification. "Microsoft is aware of research published by Matousec and we are investigating the issue," a Microsoft spokesperson told Ars. "Based on available information, we do not believe our products are affected due to the design of our real-time protection. We are working to confirm this."
Microsoft said someone would get back to us, but we figured it would be quicker to go straight to the source. "As we assumed, MSE does not implement any hooks and hence it can not be attacked by KHOBE technique," a Matousec spokesperson told Ars. "It might be confusing when you read various media comments on KHOBE research that mention that all antivirus products are vulnerable, but they miss the most important thing, which is that only software that implements hooking can be vulnerable. Only some antivirus products implement hooks but many antivirus products do not use hooks at all. The major group of software that is affected are not antivirus products but HIPS [Host Intrusion Prevention System] software, behavior blockers, various Internet Security Suites with host protection features etc."
Update: “Microsoft has worked directly with Matousec to confirm that Microsoft Security Essentials and Forefront Client Security products are not affected by their KHOBE research due to the design of our real-time protection,” a Microsoft spokesperson eventually followed up with.
Microsoft insists that security companies avoid using kernel patches in their software. It would be therefore rather hypocritical of Microsoft to use such hooks. Furthermore, self-defense techniques, which are usually implemented using hooks, are not common part of Microsoft's solutions. It's worth noting that Microsoft listened to security vendors and in Windows Vista and Windows 7 implemented several new documented methods to let products include self-defense mechanisms. Unfortunately, there is nothing forcing vendors to use these new methods as their old hooking-based protection still works in new versions of Windows.
This is why the list of products affected is so lengthy. Matousec is continuing to update the list, and at the time of publishing, there were 35 vulnerable products. This is another big win for MSE, which has received very positive feedback ever since its release.
Source - Ars Technica
Comment