64-bit systems and 3rd party security software

Hi,

I don't know if anyone of you have seen this thread at Wilders, but there was very technically and teachable discussion about implemented in 64-bit OS by MS "PatchGuard" feature.
This conversation was between: Ilya Rabinovich (DefenseWall Developer), PrevxHelp (PrevX Developer) and tzuk (SandboxIE Developer), there is about 12 pages of discussion - all of this pages are worth to read.

Link: 64-bit systems and anti-malware software - Wilders Security Forums

Summary:
64-bit security softwares do not offer the same protection level as their 32-bit brothers so far.

Cheers,
Creer

Interesting. Thanks. :)
However, i didnt like the fact that the guy is providing misleading info which may prevent people to go 64bit.

Dinesh said:

Interesting. Thanks. :)
However, i didnt like the fact that the guy is providing misleading info which may prevent people to go 64bit.

Hi,

you are welcome.

I know but this is very interesting because through that thread we can see the way how think security experts who provide security solutions for our computers.
I believe that MS don't tell us everything about their product especially if that information could harm their marketing policy.

Dinesh said:

Interesting. Thanks. :)
However, i didnt like the fact that the guy is providing misleading info which may prevent people to go 64bit.

.
Well, that was a very complex and confusing discussion. Who do you feel provided misleading information to discourage the adoption of 64 bit? One thing that seemed reasonably clear is that it's harder to write security programs for 64 bit because developers are not allowed to hook into the kernel the way they can in 32 bit Windows. I haven't seen any serious comparisons between x86 and x64 regarding resistance to malware. I hope this will be looked at in-depth now that x64 is becoming more common. I think there is reason to be cautious about x64 until it's clear that it can be "hardened" to the same extent (or perhaps even better) then x86.

Victek said:

.
Well, that was a very complex and confusing discussion. Who did you feel provided misleading information to discourage the adoption of 64 bit? One thing that seemed reasonably clear is that it's harder to write security programs for 64 bit because developers are not allowed to hook into the kernel the way they can in 32 bit Windows. I haven't seen any serious comparisons between x86 and x64 regarding resistance to malware. I hope this will be looked at in-depth now that x64 is becoming more common. I think there is reason to be cautious about x64 until it's clear that it can be "hardened" to the same extent (or perhaps even better) then x86.

The discussion clearly says that it'll take more 5 yrs to go 64bit as the security programs do not work efficiently. Huh! There are many programs that fully support 64bit. I m using 64bit OS and AV. My pc had never infected. Infact, many .exe viruses fails to even install on 64bit OS. I feel secure to have 64bit.

Dinesh said:

The discussion clearly says that it'll take more 5 yrs to go 64bit as the security programs do not work efficiently. Huh! There are many programs that fully support 64bit. I m using 64bit OS and AV. My pc had never infected. Infact, many .exe viruses fails to even install on 64bit OS. I feel secure to have 64bit.

.
I'm glad you feel secure, but I'm referring to a more general and scientific study of the OS. That will take time and require a large sampling - the kind of information that Microsoft gatherings by running their "malicious software removal tool" through Windows Update. 64 bit may look secure now, but (like the MAC) you don't know if that's because it hasn't been targeted like the 32 bit Windows operating systems.

From my viewpoint with 'security', I see less machines using 64 bit than 32 bit in the antimalware forums needing help.

Now I don't know if this is because the 64bit is more secure or the OP has a better knowledge of protection

I do know that not all (including malware writers as well as malware defense) developers are in tune with 64bit yet ... so this could also be why 32bit is an easier target for both parties.

Dinesh said:

The discussion clearly says that it'll take more 5 yrs to go 64bit as the security programs do not work efficiently. Huh! There are many programs that fully support 64bit. I m using 64bit OS and AV. My pc had never infected. Infact, many .exe viruses fails to even install on 64bit OS. I feel secure to have 64bit.

OK, when they quotation says it'll take more than 5 years, that is for *mainstream* - as in when 64bit OSs take over ass the majority of installed OSs worldwide.

Remember, even today many people are opting to buy 32bit versions of Windows, Mac, etc. (Snow Leopard excepted, of course) b/c of FUD.

Furthermore, let's not forget netbooks - a very real scenario in *today's* marketplace.

Victek said:

.
I'm glad you feel secure, but I'm referring to a more general and scientific study of the OS. That will take time and require a large sampling - the kind of information that Microsoft gatherings by running their "malicious software removal tool" through Windows Update. 64 bit may look secure now, but (like the MAC) you don't know if that's because it hasn't been targeted like the 32 bit Windows operating systems.

One of the reasons that 64bit OSs (well, Windows anyway) are more secure is for the very same reason mentioned above in relation to why it is harder to write security applications for 64bit Windows - the lack of kernel level hooking, a very real feature that more sophisticated malware also exploit. After all, with the release of NT and a free and open kernel (as was seen in W9x) the whole virus / malware phenomena effectively snowballed at an alarmingly high geometric rate.

Jacee said:

From my viewpoint with 'security', I see less machines using 64 bit than 32 bit in the antimalware forums needing help.

Now I don't know if this is because the 64bit is more secure or the OP has a better knowledge of protection

I do know that not all (including malware writers as well as malware defense) developers are in tune with 64bit yet ... so this could also be why 32bit is an easier target for both parties.

That is true - but no one has studied whether this is because of simple statistics (64bit OS usage versus 32bit OS usage), demographics (I'd warrant that the majority of 64bit Windows users are still above average to pure expert when it comes to computer skills) or OS design, or even a combination of things. Furthermore, unless a study was undertaken *right no* and continued over the next 10 years, it would be nigh impossible to say one way or the other, whether now or in the future. Simply too many variables at play here.

As for being in tune with 64bit - yeas, more than a few do not work, although I feel everyone is slowly but surely jumping on the bandwagon. MBAM and M$SE are 64bit compatible - and I have just been notified that a new Beta version of MBAM is being tested now, so I need to go grab that....

Sadly, some of the smaller companies / developers are simply not able to devote enough time for the massive code re-write that is required to either port an existing application to 64bit architecture or develop a new, independent 64bit application from scratch....

johngalt said:

One of the reasons that 64bit OSs (well, Windows anyway) are more secure is for the very same reason mentioned above in relation to why it is harder to write security applications for 64bit Windows - the lack of kernel level hooking, a very real feature that more sophisticated malware also exploit. After all, with the release of NT and a free and open kernel (as was seen in W9x) the whole virus / malware phenomena effectively snowballed at an alarmingly high geometric rate.

.
One thing mentioned in the thread at Wilders is there are already ways of hacking around patchguard to make malware/rootkits possible. The kernel apparently can be hooked, it just can't be hooked by legitimate anti-malware developers because there is no authorized access. Is that correct?

In a sense, yes. There is some hooking allowed, as the Vista SP1 showed us - after McAfee and Symantec and everyone else complained a zillion times, SP1 allowed for that hooking to take place on a limited basis.

My guess is that this time M$ will not bow to pressure. Either that or they carried through the same limited access as present in Vista SP1....

We had a big thread about this, IIRC, over at Vistax64 forums....