Antivirus vendors splitting over Vista

We’ve heard a lot from big name consumer antivirus vendors Symantec and McAfee in recent weeks about their concerns over Microsoft’s PatchGuard technology, but less from smaller antivirus firms like ESET, Sophos, Kaspersky Labs, and Trend Micro. Now one of those vendors are coming off the fence and, surprisingly, not coming to the aid of its compatriots.

UK-based Sophos issued a statement early Monday in support of Microsoft’s PatchGuard feature, which McAfee and Symantec have both cried foul over.

In an e-mail statment released Monday, Sophos said that it’s products will offer complete threat protection on 64 bit systems even without the kind of kernel level access Symantec and McAfee are arguing over.

“Sophos is experiencing no problems with PatchGuard for Sophos’s latest HIPS technology. Sophos Anti-Virus and its built-in HIPS will work just fine on both 32- and 64-bit versions of Windows Vista. Microsoft has so far provided all the interfaces that Sophos needs for providing this pre-execution HIPS as well as runtime HIPS,” the company said.

Symantec and McAfee may be singing a different tune because “they haven’t coded their solutions with 64-bit Vista in mind,” said Richard Jacobs, CTO of Sophos.

“We’ve taken a different approach to HIPS, by focusing more on catching bad behaviour by analyzing code before it executes. Additionally, we are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert the kernel by ‘hooking’ calls to it. That’s why we’re ready for 64-bit Vista, and others aren’t,” Jacob’s is quoted saying.

However, while its giving Microsoft the benefit of the doubt on PatchGuard, the feature does put the onus on Redmond to make good on promises to work with AV vendors to create kernel interfaces to the Vista kernel that will support new security features.

“It’s clearly the case that we and other vendors will now have some dependency on Microsoft to deliver kernel interfaces for new security innovations, which could slow us all down. However this is more than compensated for by the additional security offered by a locked down kernel,” Jacobs said.

Microsoft received a similar endorsement last week from security researcher and Blue Pill rootkit author Joanna Rutkowska, who said that PatchGuard was “a very good idea,” though she debated whether it could really be considered a security feature, so much as a way to force legitimate vendors to interact with the kernel in an appropriate and predictable way. If PatchGuard couldn’t prevent kernel hooking, it would at least make it easier to spot malicious programs that are trying to do it, said Rutkowska.

Of course, Sophos going on record supporting PatchGuard is nothing new. Company executives like Graham Cluley have been quoted extensively in press coverage of the debate saying that they don’t share McAfee and Symantec’s criticisms of Microsoft, and that they’ve found Redmond responsive to requests to work on extending the Vista 64 bit kernel to meet their needs.

How much of this is real and how much is gamesmanship? It’s hard to say. McAfee and Symantec are clearly protecting their turf, especially in the consumer space, and appear to be building a case for some kind of antitrust action over the security features in Vista. On the other hand, it’s entirely possible that Microsoft is presenting two faces to the antivirus vendors: one to small enterprise-focused vendors like Sophos and Trend, who don’t pose a threat to OneCare and Microsoft’s other products, and another to Symantec and McAfee who do.

It’s impossible to know, for sure, whether the antivirus vendors are crying wolf, or whether Microsoft is truly acting volpine as it ramps up its security products. Once the lawsuits start flying, we may learn more.