Recently I wrote an article about Agnitum, a security software vendor known for its firewall, because of their accusations towards Microsoft. Today I recognized there was a comment of someone from Agnitum at the Sunbelt Blog, so I decided to comment it. Here is the original comment from Agnitum:
Agnitum’s technical brief about Microsoft’s approach to Kernel Patch Protection has sparked intense discussion at Alex Eckelberry’s blog.
May we participate in the debate?
The new approach to kernel patch protection is designed to block rootkits. That’s progress. However, ironically, it also prevents the installation of third-party security software from Agnitum, and Zone Labs, and McAfee, and Symantec, and other companies. This is not progress. History proves we should not rely on Microsoft and only Microsoft for operating-system security.
There are thousands of companies that rely on access to the Windows kernel — and we should not be forced to rely on tools and tactics used by malicious hackers. And we do not believe Microsoft should improve security by opening the kernel to attack by hackers.
Agnitum offers a better solution for Microsoft vulnerabilities. It is Outpost Firewall Pro, a software firewall that protects users from Windows vulnerabilities that Microsoft can’t really fix. In mid August we plan to launch Outpost Firewall Pro 4.0 – a new age of firewalls that will have many anti-theft technologies and that will protect against all known information leaks (tested with “leak tests”).
The decision to publish our recent findings was aimed at bringing attention to Microsoft actions that will affect thousands of companies who need to use the Windows kernel to make their software work.
Igor Pankov, Product Marketing (source)
Since my comment has not been approved or was deleted by the blog owner, I decided to publish it on my own blog. This won’t make the Sunbelt guys any problems and it is a method to voice my concerns about Agnitums position. Here is my comment to the above argument of Igor Pankov:
Igor, you must be kidding. Your comment reads like an advert for your firewall product. As opposed to what you claim, MS does not open the kernel for attacks, but instead closes down access to it by “normal” means. Joanna Rutkowska has proven this can partially be circumvented (by forcing drivers to be paged out and patching them on-disk inside the paging file). However, this hole is likely to be fixed by the final release as she presented it just recently to the public. MS representatives have been happy that this hole was shown to them during the beta phase.
Just ask your devs and they will most likely agree that MS attempted earlier to introduce security measures (e.g. write-protecting the SSDT – broken by temporarily modifying the control register or mapping the SSDT with read-write access).
The fact that you already use undocumented hacker methods did never mean you are guaranteed future support for these hacker methods by MS. This has been made very clear more than once by Microsoft and if your devs are following the respective mailing lists (ntdev etc.), they were aware of this already years ago.
Yes, there are thousands of companies relying on the kernel and many of them even relying only on the documented part, is it? Possibly you should change your policy and follow their example?! As I already wrote in my article you are already using “tools and tactics used by malicious hackers” as you put it. And this is the actual problem, not MS’ efforts to close down access to the (largely undocumented) kernel.
“May we participate in the debate?” – I’d be happy to see some objective comments to my article, too. Possibly you can get one of your devs to review my arguments and comment them? So we get professional basis for the debate! I am not interested in marketing arguments, though …
Let us see whether Agnitum is willing to comment again in this debate. I hope so and I am looking forward to have a good discussion with someone from Agnitum (hopefully no one from marketing, though :mrgreen:).