Symantec and McAfee should stop crying about Vista

George Heron who is the Chief Scientist at McAfee spoke out in this commentary on why he thinks "Microsoft is wrong on Vista security".  McAfee has been in full scale attack mode along with rival Symantec and even posted a full-page ad in the Financial Times against Microsoft locking down access to the Vista kernel.
Written by George Ou, Contributor

George Heron who is the Chief Scientist at McAfee spoke out in this commentary on why he thinks "Microsoft is wrong on Vista security".  McAfee has been in full scale attack mode along with rival Symantec and even posted a full-page ad in the Financial Times against Microsoft locking down access to the Vista kernel.  Adobe and Symantec are lobbying sympathetic European Union regulators who are already trying to squeeze as money out of Microsoft as they possibly can Symantec and McAfee are essentially expecting Microsoft to bless the kernel modificationsto get tough on Microsoft in the area of document formats and kernel security.  But are these really legitimate complaints or just sour grapes?

But is there a bit of hypocrisy in these AV vendor's arguments?  Symantec openly argues that Vista Kernel protection can already be bypassed by Malware (though this loophole can be closed with page file encryption) and that the kernel protections only handicap Antivirus vendors.  Why pretend on the one hand that they're being "handcuffed" by Vista kernel protections and then say in the same breath that it doesn't stop Malware from modifying the kernel?  If it's so easy for Malware to modify the kernel as Symantec suggests, why doesn't Symantec simply modify the kernel using these same methods available to Malware instead of expecting Microsoft to provide a formal programmatic way of modifying the kernel?  Symantec and McAfee is essentially expecting Microsoft to bless the kernel modifications but if they really think modifying the kernel is such a great idea, they should just go ahead and do it and take responsibility for kernel stability.  If they don't want to take responsibility for modifying the kernel, then be quiet and work with the Vista antivirus APIs like Kaspersky.

Many people in the IT industry and computer users in general are sick and tired of Antivirus companies and you can tell that by the abundant negative feedback we get whenever the subject of Symantec and McAfee come up.  People are sick and tired of the resources taken up by Antivirus software and recent tests confirm that Antivirus software makes your PC crawl.  Ironically, Symantec and McAfee took the top dishonors by being the biggest resource hogs of all.  Furthermore, antivirus software will often make your PC more vulnerable to attack than if it didn't have any antivirus installed at all because malicious packages can be rigged to exploit the AV software itself.  It has always baffled me why someone would pay top dollars to have their PCs dragged down to a crawl and be exposed to even more security risks.  It is a well known secret to security experts that every bit of code you add to a system carries its own security risks and security software is no exception.

Having come from an IT consulting background, I personally attended their sales meetings as recent as last year and witnessed their sales tactics first hand.  The AV vendors would actually position their software as an alternative to Microsoft's Windows patches.  They openly boasted about the fact that they had clients who didn't patch their operating systems for a year.  The problem is that you're paying top dollars for a security solution to replace a free patching solution.  Furthermore, the effectiveness of AV solutions is limited to known patterns and known signatures and so-called "behavior based AV" doesn't really exist even though many AV vendors claim to be behavior based.  One AV vendor contacted me and told me their solution was proactive but when I asked them what zero-day attacks have they preemptively stopped recently and I never got a response back.

If any AV vendors will come forward and answer this challenge, I'd be happy to praise your product publicly if it can detect any of the zero-day attacks proactively.  I don't just mean sandboxing technology since I can already do that with proper permission lockdowns either, I want to see actual detection of a zero-day threat before any patches or updates are applied to the antivirus or IDS definition.

But is there an alternative to expensive, insecure, performance-draining Antivirus software?  There certainly is and it's free and will get easier to do with Windows Vista.  The Administrator accounts in Windows Vista are no longer like the Administrator accounts in Windows XP because they administrators are now sudo users.  Internet Explorer 7 running under Vista will run a virtual jail using something called Vista Protected Mode.  New group policies in Windows Vista can actually prevent even Administrative users from escalating code to administrator level and this can be set at a domain level for all users in an organization globally or by groups.  Even if a user is foolish enough to manually authorize a UAC prompt, the local or domain policy can prevent any kind of unsigned and untrusted code from escalating to root level permissions.

This is effectively a white-list security model where all code is untrusted by default unless it is from a trusted source whereas the Antivirus security model uses a black-list approach that trusts all code by default until proven guilty.  Permission escalation restrictions will prevent all Malware code from infecting the system unless there is an unpatched or undocumented code escalation exploit.  While that isn't perfect, we know that code escalation exploits aren't nearly as frequent as all the other kinds of software and social engineering vulnerabilities and they get patched fairly quickly so the window of risk is relatively small.  Compared to the black-list security model it is infinitely better.

So is there still a place for Antivirus software?  Sure, at the FTP/HTTP/SMTP gateway where it can keep a lot of the Malware off the network to begin with.  But it definitely stinks when it's on the PC and it stinks even more when it's in the kernel.  I'm sure the AV vendors will disagree with my assessment of the Antivirus industry in general and they're even free to modify the Vista kernel using undocumented methods, just don't expect Microsoft's blessing or mine.

Editorial standards