Content deleted Content added
m →Third-party applications: formatting fix |
GreenC bot (talk | contribs) Reformat 1 archive link. Wayback Medic 2.5 per WP:USURPURL and JUDI batch #20 |
||
| (5 intermediate revisions by 5 users not shown) | |||
Line 1:
{{Short description|Security feature of Microsoft Windows}}
[[Image:Kernel Layout.svg|thumb|200px|The [[Kernel (operating system)|kernel]] connects the application software to the hardware of a computer.]]
'''Kernel Patch Protection''' ('''KPP'''), informally known as '''PatchGuard''', is a feature of 64-bit ([[x86-64|x64]]) editions of [[Microsoft Windows]] that prevents patching the [[Kernel (operating system)|kernel]]. It was first introduced in 2005 with the x64 editions of [[Windows
|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx
|title=Kernel Patch Protection: Frequently Asked Questions
Line 13 ⟶ 14:
Since patching the kernel is possible in 32-bit (x86) editions of Windows, several [[antivirus software]] developers use kernel patching to implement antivirus and other security services. These techniques will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection resulted in antivirus makers having to redesign their software without using kernel patching techniques.
However, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.<ref name="skape"/><ref>{{Citation |last=dushane |title=PatchGuardBypass |date=2023-04-03 |url=https://github.com/AdamOron/PatchGuardBypass |access-date=2023-04-03}}</ref> This has led to criticism that since KPP is an imperfect defense, the problems caused to antivirus vendors outweigh the benefits because authors of [[malware|malicious software]] will simply find ways around its defenses.<ref name="Samenuk"/><ref name="Gewirtz"/> Nevertheless, Kernel Patch Protection can still prevent problems of system stability, reliability, and performance caused by legitimate software patching the kernel in unsupported ways.
==Technical overview==
Line 27 ⟶ 28:
|archive-date=3 March 2016
|url-status=dead
}}</ref> Device drivers are expected to not modify or ''patch'' core system structures within the kernel.<ref name="KPP FAQ"/> However, in [[x86]] editions of Windows, Windows does not enforce this expectation. As a result, some x86 software, notably certain security and [[antivirus software|antivirus]] programs, were designed to perform needed tasks through loading drivers that modify core kernel structures.<ref name="Introduction"/><ref name="Fathi">{{cite web
|url=https://www.theguardian.com/technology/2006/sep/28/viruses.security
|title=Antivirus vendors raise threats over Vista in Europe
Line 143 ⟶ 144:
Microsoft's Kernel Patch Protection FAQ further explains:
{{
==Criticisms==
Line 347 ⟶ 348:
==External links==
*{{usurped|1=[https://web.archive.org/web/20070217053224/http://www.windows-now.com/blogs/robert/archive/2006/08/12/PatchGuard-and-Symantecs-Complaints-About-Windows-Vista.aspx The Truth About PatchGuard: Why Symantec Keeps Complaining]}}
*[https://web.archive.org/web/20061124094344/http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx An Introduction to Kernel Patch Protection]
*[https://web.archive.org/web/20070205155710/http://www.microsoft.com/security/windowsvista/allchin.mspx Microsoft executive clarifies recent market confusion about Windows Vista Security]
| |||