Symantec and McAfee should have prepared better for Vista

IT security firm Sophos is recommending that system administrators ask their security vendors if they are capable of properly protecting them on the forthcoming 64-bit version of Vista, as arguments continue regarding access to Microsoft's operating system code (kernel). Sophos has reassured its customers that Sophos Anti-Virus will offer full protection against malware threats on Vista, and suggests that some security vendors may not have given sufficient thought to the new operating system when developing their products.

Anti-virus firms Symantec and McAfee have recently made high-profile complaints that they are being "locked out" of the Vista operating system kernel by Microsoft's PatchGuard prevention system. They argue that this is preventing them from continuing to develop pro-active protection against new malware, sometimes referred to as 'host intrusion prevention' or 'HIPS'. They claim this action is anti-competitive.

However, Sophos argues that its approach to HIPS technology has met with no problems on both the low-spec and high-spec versions of Windows Vista. In addition, Sophos claims that Microsoft has so far provided all the interfaces that Sophos needs for providing this form of protection.

"Symantec and McAfee may be struggling with HIPS because they haven't coded their solutions with high-spec Vista in mind," said Richard Jacobs, CTO of Sophos. "We've taken a different approach, by focusing on catching bad behaviour before it has a chance to occur. Additionally, we are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert them. That's why we're ready for 64-bit Vista, and others aren't."

View: Full Article @ Sophos via Bink



Sophos Anti-Virus, including its HIPS functionality, has been designed for 64-bit Windows Vista.

Report a problem with article
Previous Story

F.E.A.R. Extraction Point Final Wrap

Next Story

Windows Mobile Smartphone - 4 Years Old

25 Comments

Commenting is disabled on this article.

Symantec and Mcafee both suck. Symantec more thou. I want to know more on kaspersky. Kaspersky & Nod32 is the best anti-virus atm. Kaspersky has the best virus detection rate, but Nod32 doesn't hog as much resources.

It's funny that the 2 companies complaining are the ones I will never install on my computer. Norton turns a Conroe into a 486 and McAfee is the Lycos of A/V software.

I remember reading something on channel9 about these api changes to the kernal a long time ago. Windows File Filters i think was the name of what they called it. Don't remember. But it was talked about when they did there 3 part section on the windows kernel.

The screenshot is of the wrong product. This refers to HIPs.

I wonder how many people who have commented have actually stopped to think "what are Sophos actually doing differently, is it really effective, or is this just well timed and devious marketting for a system that simply isn't as secure as alternative solutions?" Seems to me that most of you are just taking this as fact and not questioning it at all. Tut tut.

NB: I'm not saying it isn't as secure. It may well be - they haven't made enough detail available to make an informed decision (at least that I can find).

I worked for a school system and we dumped Symantec for Sophos. Why? Sophos immediately detected 4 viruses that Symantec had happily ignored for about a year.

Sophos has decided to try to stop code before it executes....not once the damage is done. Post state inspection is useless if the code is executed.

An ounce of prevention(stop it from executing), is worth a pound of cure(clean after the virus is there.)


*edited for typos*

I don't think you're appreciating the technologies in question.

Find me an traditional AV solution that detects a virus *after* it's let the code execute? That isn't how they work. It'd be simply insane.

McAfee's enterprise software has had code sandboxing and heuristics for more years than I can remember. I also suspect the same technologies are burried inside the home user line of products under one big tick box.

Evaluating code before it runs isn't anything new.

My point is that Sophos are claiming to do something new and wonderful, but have released NO real details on how.

Here's a conspiracy theory for ya:

McAfee and Symantec throw a fit when access is removed from the kernel because virus writers won't be allowed access to that attack vector. They lose job security because all the script kiddies they are paying to write viruses for them to fix are going to be left in the dark. Meanwhile, Kaspersky, NOD32, Sophos, Alwil, etc. gain market share because they are able to create REAL antivirus products that actually work. With virus and malware activity at an all-time low and the two largest antivirus firms not even in the picture, it snowballs from there.

Like I said, it's a conspiracy theory, but I find it interesting that the only two companies complaining are the two whose products have come closest to resembling viruses themselves as of late. I work in IT at my company, and LOATHE every time we get a new computer around here from D*ll, and I have to remove all the McAfee crap that comes on there because of the problems caused by it...sometimes it's almost impossible.

So, there are 2 ways to stay in the marketplace with Windows:

1. Innovate, as before, offer new software and services, make some money by selling products, or
2. Cry while your competitors do #1 and then blame Microsoft for your own mistakes.

You can bet I'll continue to buy security software from a company that falls in the first category Hopefully that includes ZoneAlarm Security Suite because so far I'm pretty happy with it on XP.

If MS are forced to open up the kernel, both in 32 and 64 bit versions, can we have a admin option entitled "Close security holes forced in by Symantec" ? Or even a download like the PDF save in office. They could call it the "Windows Vista Symantec are stupid compatibility pack"

It's funny. All the companies that years ago I used to dismiss out-of-hand for not being "big players" are now the ones I trust!

by focusing on catching bad behaviour before it has a chance to occur. Additionally, we are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert them. That's why we're ready for 64-bit Vista, and others aren't."

that's the spirit :D, if sophos, kaspersky, nod32, avg and avast can do it, so should mcafee and symantec. The problem is, they couldn't offer decent protection in xp, let alone offer the most basic for vista. Just sad really

nice ! love the simple interface and it just goes to show how crap symantec and mcafee are. Seriously both those companies need to die a slow and painful death. Its refreshing to see that sophos have got things sorted and i may well consider changing to sophos