Kernel Patch Protection: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 10:49, 27 January 2015 edit 81.145.165.209 (talk) →Weaknesses ← Previous edit		Latest revision as of 02:32, 21 December 2024 edit undo GreenC bot (talk \| contribs) Bots 3,060,445 edits Reformat 1 archive link. Wayback Medic 2.5 per WP:USURPURL and JUDI batch #20
(47 intermediate revisions by 29 users not shown)
Line 1: {{Short description\|Security feature of Microsoft Windows}} [[Image:Kernel Layout.svg\|thumb\|200px\|The [[Kernel (~~computer~~operating ~~science~~system)\|kernel]] connects the application software to the hardware of a computer.]] '''Kernel Patch Protection''' ('''KPP'''), informally known as '''PatchGuard''', is a feature of 64-bit ([[x86-64\|x64]]) editions of [[Microsoft Windows]] that prevents patching the [[Kernel (~~computer~~operating ~~science~~system)\|kernel]]. It was first introduced in 2005 with the x64 editions of [[Windows ~~XP Professional x64 Edition\|Windows XP~~Vista]] and [[Windows Server 2003]] Service Pack 1.<ref name="KPP FAQ">{{cite web \|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx \|title=Kernel Patch Protection: Frequently Asked Questions \|publisher=[[Microsoft]] \|date=22 January 2007 \|~~accessdate~~access-date=30 July 2007 }}</ref> "Patching the kernel" refers to unsupported modification of the central component or ~~[[Kernel (computer science)\|~~kernel]] of the Windows operating system. Such modification has never been supported by Microsoft because, according to Microsoft, it can greatly reduce system security, reliability, and ~~reliability~~performance.<ref ~~However,~~name="KPP FAQ"/> ~~though~~Although Microsoft does not recommend it, it is ~~technically~~ possible to patch the kernel on [[x86]] editions of Windows.; ~~But~~however, with the x64 editions of Windows, Microsoft chose to implement additional protection and technical barriers to kernel patching. Since patching the kernel is ~~technically permitted~~possible in 32-bit (x86) editions of Windows, several [[antivirus software]] developers use kernel patching to implement antivirus and other security services. ~~This~~These ~~kind of antivirus software~~techniques will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection ~~has~~resulted ~~been criticized for forcing~~in antivirus makers having to redesign their software without using kernel patching techniques. ~~Also~~However, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.<ref name="skape"/><ref>{{Citation \|last=dushane \|title=PatchGuardBypass \|date=2023-04-03 \|url=https://github.com/AdamOron/PatchGuardBypass \|access-date=2023-04-03}}</ref> This has led to ~~additional~~ criticism that since KPP is an imperfect defense, the problems caused to antivirus ~~makers~~vendors outweigh the benefits because authors of [[malware\|malicious software]] will simply find ways around its defenses.<ref name="Samenuk"/><ref name="Gewirtz"/> Nevertheless, Kernel ~~Patching~~Patch Protection can still prevent problems of system stability ~~and~~, reliability, ~~problems~~and performance caused by legitimate software patching the kernel in unsupported ways. ==Technical overview== Line 23 ⟶ 24: \|publisher=Uninformed \|date=September 2007 \|~~accessdate~~access-date=20 September 2007 \|archive-url=https://web.archive.org/web/20160303171005/http://uninformed.org/index.cgi?v=8&a=5&p=2 }}</ref> In turn, device drivers are expected to not modify or ''patch'' core system structures within the kernel.<ref name="KPP FAQ"/> In [[x86]] editions of Windows, Windows does not enforce this expectation that drivers not patch the kernel. But because the expectation is not enforced on x86 systems, some programs, notably certain security and [[antivirus]] programs, were designed to perform needed tasks through loading drivers that modified core kernel structures.<ref name="Introduction"/><ref name="Fathi">{{cite web▼ \|archive-date=3 March 2016 \|url=http://www.guardian.co.uk/technology/2006/sep/28/viruses.security▼ \|url-status=dead ▲}}</ref> ~~In turn, device~~Device drivers are expected to not modify or ''patch'' core system structures within the kernel.<ref name="KPP FAQ"/> InHowever, in [[x86]] editions of Windows, Windows does not enforce this expectation ~~that drivers not patch the kernel~~. ~~But~~As ~~because~~a ~~the~~result, ~~expectation is not enforced on~~some x86 ~~systems, some programs~~software, notably certain security and [[antivirus software\|antivirus]] programs, were designed to perform needed tasks through loading drivers that ~~modified~~modify core kernel structures.<ref name="Introduction"/><ref name="Fathi">{{cite web ▲\|url=~~http~~https://www.~~guardian~~theguardian.~~co.uk~~com/technology/2006/sep/28/viruses.security \|title=Antivirus vendors raise threats over Vista in Europe \|last=Schofield \|first=Jack \|~~publisher~~work=[[The Guardian]] \|date=28 September 2006 \|~~accessdate~~access-date=20 September 2007 }} "This has never been supported and has never been endorsed by us. It introduces insecurity, instability, and performance issues, and every time we change something in the kernel, their product breaks." —Ben Fathi, corporate vice president of Microsoft's security technology unit</ref> In [[x86-64\|x64]] editions of Windows, Microsoft ~~chose to begin~~began to enforce ~~the~~ restrictions on what structures drivers can and cannot modify. Kernel Patch Protection is the technology that ~~actually~~ enforces these restrictions. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected, then Windows will initiate a [[Fatal system error\|bug check]] and shut down the system,<ref name="Introduction"/><ref name="Patching Policy">{{cite web \|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx \|title=Patching Policy for x64-Based Systems \|publisher=[[Microsoft]] \|date=22 January 2007 \|~~accessdate~~access-date=20 September 2007 }}</ref> with a [[Blue screen of death\|blue screen]] and/or reboot. The corresponding bugcheck number is 0x109, the bugcheck code is CRITICAL_STRUCTURE_CORRUPTION. Prohibited modifications include:<ref name="Patching Policy"/> * Modifying [[System call\|system service]] descriptor tables * Modifying the [[interrupt descriptor table]] * Modifying the [[Global Descriptor Table\|global descriptor table]] * Using kernel [[Stack (abstract data ~~structure~~type)\|~~stack~~stacks]]s not allocated by the kernel * Modifying or patching code contained within the kernel itself,<ref name="Patching Policy"/> or the [[Hardware abstraction layer\|HAL]] or [[Network Driver Interface Specification\|NDIS]] kernel libraries<ref>{{cite web \|url=http://uninformed.org/index.cgi?v=3&a=3&p=7 \|title=System Images Line 52 ⟶ 56: \|author=skape \|author2=Skywing \|publisher=Uninformed \|date=December 2005 \|~~accessdate~~access-date=21 September 2007 \|archive-url=https://web.archive.org/web/20160817074740/http://uninformed.org/index.cgi?v=3&a=3&p=7 \|archive-date=17 August 2016 \|url-status=dead }}</ref> ~~It should be noted that~~ Kernel Patch Protection only defends against device drivers modifying the kernel. It does not offer any protection against one device driver patching another.<ref name="Conclusion">{{cite web \|url=http://uninformed.org/index.cgi?v=6&a=1&p=25 \|author=Skywing Line 64 ⟶ 71: \|publisher=Uninformed \|date=January 2007 \|~~accessdate~~access-date=21 September 2007 \|archive-url=https://web.archive.org/web/20160304025651/http://uninformed.org/index.cgi?v=6&a=1&p=25 \|archive-date=4 March 2016 \|url-status=dead }}</ref> Line 73 ⟶ 83: \|author=skape \|author2=Skywing \|publisher=Uninformed \|date=December 2005 \|~~accessdate~~access-date=20 September 2007 \|archive-url=https://web.archive.org/web/20160817134554/http://uninformed.org/index.cgi?v=3&a=3&p=3 }}</ref> KPP does however present a significant obstacle to successful kernel patching. With highly [[obfuscated code]] and misleading symbol names, KPP employs [[security through obscurity]] to hinder attempts to bypass it.<ref name="Introduction"/><ref>{{cite web▼ \|archive-date=17 August 2016 \|url-status=dead ▲}}</ref> KPP does however present a significant obstacle to successful kernel patching. With highly [[obfuscation (software)\|obfuscated code]] and misleading symbol names, KPP employs [[security through obscurity]] to hinder attempts to bypass it.<ref name="Introduction"/><ref>{{cite web \|url=http://uninformed.org/index.cgi?v=6&a=1&p=10 \|title=Misleading Symbol Names Line 83 ⟶ 96: \|publisher=Uninformed \|date=December 2006 \|~~accessdate~~access-date=20 September 2007 \|archive-url=https://web.archive.org/web/20160303171036/http://uninformed.org/index.cgi?v=6&a=1&p=10 \|archive-date=3 March 2016 \|url-status=dead }}</ref> Periodic updates to KPP also make it a "moving target", as bypass techniques that may work for a while are likely to break with the next update. Since its creation in 2005, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.<ref name="Introduction"/><ref name="Microsoft Security Advisory (914784)">{{cite web \|url=http://www.microsoft.com/technet/security/advisory/914784.mspx Line 91 ⟶ 107: \|publisher=Microsoft \|date=June 2006 \|~~accessdate~~access-date=21 September 2007 }}</ref><ref name="Microsoft Security Advisory (932596)">{{cite web \|url=http://www.microsoft.com/technet/security/advisory/932596.mspx Line 99 ⟶ 115: \|publisher=Microsoft \|date=August 2007 \|~~accessdate~~access-date=21 September 2007 }}</ref> ~~==Disadvantages==~~ Prevent API [[hooking]]. Cause [[porting]] issues. ==Advantages== Patching the kernel has never been supported by Microsoft because it can cause a number of negative effects.<ref name="Fathi"/> Kernel Patch Protection protects against these negative effects, which include: * ~~The [[Blue Screen of Death]], which results from serious~~Serious errors in the kernel.<ref name="Field">{{cite web \|url=http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx \|title=An Introduction to Kernel Patch Protection \|~~accessdate~~access-date=30 November 2006 \|last=Field \|first=Scott Line 121 ⟶ 133: \|url=http://www.microsoft.com/security/windowsvista/allchin.mspx \|title=Microsoft executive clarifies recent market confusion about Windows Vista Security \|~~accessdate~~access-date=30 November 2006 \|last=Allchin \|first=Jim \|~~authorlink~~author-link=Jim Allchin \|date=20 October 2006 \|publisher=[[Microsoft]] Line 130 ⟶ 142: * Compromised system security.<ref name="Introduction"/> * [[Rootkit]]s can use kernel access to embed themselves in an operating system, becoming nearly impossible to remove.<ref name="Field"/> * Products that rely on kernel modifications are likely to break with newer versions of Windows or updates to Windows that change the way the kernel works.<ref name="Fathi"/> Microsoft's Kernel Patch Protection FAQ further explains: {{~~quotation~~blockquote\|Because patching replaces kernel code with unknown, untested code, there is no way to assess the quality or impact of the third-party code...An examination of Online Crash Analysis (OCA) data at Microsoft shows that system crashes commonly result from both malicious and non-malicious software that patches the kernel.\|{{cite web \|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx \|title=Kernel Patch Protection: Frequently Asked Questions \|website=[[Microsoft]] \|date=22 January 2007 \|~~accessdate~~access-date=22 February 2007}}}} ==Criticisms== ===Third-party applications=== Some computer security software, such as [[McAfee]]'s [[McAfee VirusScan]] and [[Gen Digital\|Symantec]]'s [[Norton AntiVirus]], ~~works~~worked by patching the kernel on x86 systems.{{citation needed\|reason=but NIS2010/11 works on my version of WIn7x64 :/\|date=January 2011}} ~~Additionally, anti~~Anti-virus software authored by [[Kaspersky Lab]] has been known to make extensive use of kernel code patching on [[x86]] editions of Windows.<ref>{{cite web \|url=http://uninformed.org/index.cgi?v=4&a=4&p=10 \|author=Skywing Line 145 ⟶ 156: \|publisher=Uninformed \|date=June 2006 \|~~accessdate~~access-date=21 September 2007 }}</ref> This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.<ref>{{cite news \|first=Elizabeth \|last=Montalbano Line 153 ⟶ 164: \|publisher=[[PC World (magazine)\|PC World]] \|date=6 October 2006 \|~~accessdate~~access-date=30 November 2006 \|archive-url=https://web.archive.org/web/20070405234445/http://www.pcworld.in/news/index.jsp/artId=4587538 }}</ref> Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by trusted companies such as themselves.<ref name="Samenuk">{{cite web▼ \|archive-date=5 April 2007 \|url-status=dead ▲}}</ref> Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by "trusted companies" such as themselves.<ref name="Samenuk">{{cite web \|url=http://news.softpedia.com/news/Microsoft-Increasing-Security-Risk-with-Vista-37014.shtml \|title=Microsoft Increasing Security Risk with Vista Line 161 ⟶ 175: \|publisher=[[McAfee]] \|date=28 September 2006 \|~~accessdate~~access-date=8 July 2013 }}</ref> ~~Interestingly,~~ Symantec's ''corporate'' antivirus software<ref>{{cite web \|url=http://www.symantec.com/enterprise/products/sysreq.jsp?pcid=1008&pvid=805_1 \|title=Symantec AntiVirus Corporate Edition: System Requirements \|~~accessdate~~access-date=30 November 2006 \|year=2006 \|publisher=[[NortonLifeLock\|Symantec]] \|archive-url=https://web.archive.org/web/20070515200615/http://www.symantec.com/enterprise/products/sysreq.jsp?pcid=1008&pvid=805_1 }}</ref> and Norton 2010 range and beyond <ref>{{cite web▼ \|archive-date=15 May 2007 \|url-status=dead ▲}}</ref> and Norton 2010 range and beyond <ref>{{cite web \|url=http://us.norton.com/internet-security \|title=Symantec Internet Security product page \|~~accessdate~~access-date=26 January 2011 \|year=2011 \|publisher=[[NortonLifeLock\|Symantec]] }}</ref> ~~does work~~worked on x64 editions of Windows despite KPP's restrictions, although with less ability to provide protection against zero-day malware. Antivirus software made by competitors [[ESET]],<ref>{{Cite web\|url=http://www.eset.com/products/64bit.php\|title=High-performance threat protection for the next-generation of 64-bit computers\|date=2008-11-20\|publisher=ESET\|archive-url=https://web.archive.org/web/20081120071411/http://www.eset.com/products/64bit.php\|archive-date=2008-11-20}}</ref> [[Trend Micro]],<ref>{{cite web ~~Antivirus software made by competitors ESET,<ref>{{cite web~~ ~~\|url=http://www.eset.com/products/64bit.php~~ ~~\|title=64-bit Protection~~ \|publisher=ESET▼ ~~\|accessdate=5 October 2007~~ ~~}}</ref> [[Trend Micro]],<ref>{{cite web~~ \|url=https://imperia.trendmicro-europe.com/us/products/enterprise/officescan-client-server-edition/system-requirements/index.html \|title=Minimum System Requirements \|publisher=[[Trend Micro]] USA \|~~accessdate~~access-date=5 October 2007 \|archive-date=8 February 2012 \|archive-url=https://web.archive.org/web/20120208124040/https://imperia.trendmicro-europe.com/us/products/enterprise/officescan-client-server-edition/system-requirements/index.html \|url-status=dead }}</ref> [[Grisoft]] AVG,<ref>{{cite web \|url=http://www.grisoft.com/doc/324/us/crp/3 \|title=AVG Anti-Virus and Internet Security - Supported Platforms \|publisher=[[Grisoft]] \|~~accessdate~~access-date=5 October 2007 \|~~archiveurl~~ archive-url= ~~http~~https://web.archive.org/web/20070827082857/http://www2.grisoft.com/doc/324/us/crp/3 ~~<!-- Bot retrieved~~ \|archive -~~-> \|archivedate~~ date= 27 August 2007 \|url-status=dead }}</ref> [[Avast Software\|avast!]], [[Avira\|Avira Anti-Vir]] and [[Sophos]] do not patch the kernel in default configurations, but may patch the kernel when features such as "advanced process protection" or "prevent unauthorized termination of processes" are enabled.<ref>{{cite news \|first = Robert▼ ~~<ref>{{cite news~~ \|last = Jaques▼ ▲\|first=Robert \|title = Symantec and McAfee 'should have prepared better' for Vista▼ ▲\|last=Jaques \|url = http://www.vnunet.com/vnunet/news/2167016/symantec-mcafee-should-prepared▼ ▲\|title=Symantec and McAfee 'should have prepared better' for Vista ▲ \|publisher =~~ESET~~ vnunet.com ▲\|url=http://www.vnunet.com/vnunet/news/2167016/symantec-mcafee-should-prepared \|date = 23 October 2006 ~~\|publisher=vnunet.com~~ \|access-date =23 ~~October~~30 November 2006 \|url-status = dead ~~\|accessdate=30 November 2006~~ \|archive-url = https://web.archive.org/web/20070927195203/http://www.vnunet.com/vnunet/news/2167016/symantec-mcafee-should-prepared \|archive-date = 27 September 2007 }}</ref> [[Image:Jim Allchin at PDC 2005.jpeg\|thumb\|right\|[[Jim Allchin]], then co-president of Microsoft, was an adamant supporter of Kernel Patch Protection.]] ~~Contrary to some media reports, {{By whom\|date=August 2009}}~~ Microsoft ~~will~~does not weaken Kernel Patch Protection by making exceptions to it, though Microsoft has been known to relax its restrictions from time to time, such as for the benefit of [[hypervisor]] virtualization software.<ref name="Conclusion"/><ref>{{cite news \|url=http://www.infoworld.com/article/07/01/19/HNpatchguardstitch_1.html \|title=Researcher: PatchGuard hotfix stitches up benefit to Microsoft \|date=19 January 2007 \|~~accessdate~~access-date=21 September 2007 \|author=McMillan, Robert \|publisher=[[InfoWorld]] }}</ref> Instead, Microsoft worked with third-party companies to create new [[API\|Application Programming ~~Interface~~Interfaces]]s that help security software perform needed tasks without patching the kernel.<ref name="Allchin"/> These new interfaces were included in [[Windows Vista#Service Pack 1\|Windows Vista Service Pack 1]].<ref>{{cite web \|url = http://technet2.microsoft.com/WindowsVista/en/library/005f921e-f706-401e-abb5-eec42ea0a03e1033.mspx?mfr=true \|title = Notable Changes in Windows Vista Service Pack 1 \|publisher = [[Microsoft]] \|year = 2008 \|~~accessdate~~access-date = 20 March 2008 \|url-status = dead \|archive-url = https://web.archive.org/web/20080503040732/http://technet2.microsoft.com/WindowsVista/en/library/005f921e-f706-401e-abb5-eec42ea0a03e1033.mspx?mfr=true \|archive-date = 3 May 2008 }}</ref> ===Weaknesses=== Because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.<ref name="skape"/> This led the computer security providers [[McAfee]] and [[NortonLifeLock\|Symantec]] to say that since KPP is an imperfect defense, the problems caused to security providers outweigh the benefits, because [[malicious software]] will simply find ways around KPP's defenses and third-party security software will have less freedom of action to defend the system.<ref name="Samenuk"/><ref name="Gewirtz">{{cite news \|last=Gewirtz \|first=David \|~~authorlink~~author-link=David Gewirtz \|title=The great Windows Vista antivirus war \|url=http://zatz.com/outlookpower/article/the-great-windows-vista-antivirus-war/ \|publisher=OutlookPower \|year=2006 \|~~accessdate~~access-date=8 July 2013 \|archive-url=https://web.archive.org/web/20130201170559/http://zatz.com/outlookpower/article/the-great-windows-vista-antivirus-war/ \|archive-date=1 February 2013 \|url-status=dead }} "The system's already vulnerable. People have already hacked into PatchGuard. System is already vulnerable no matter what. PatchGuard has a chilling effect on innovation. The bad guys are always going to innovate. Microsoft should not tie the hands of the security industry so they can't innovate. We're concerned about out-innovating the bad guys out there." —Cris Paden, Manager on the Corporate Communication Team at Symantec</ref> Line 237 ⟶ 263: \|author=skape \|author2=Skywing \|publisher=Uninformed \|date=1 December 2005 \|~~accessdate~~access-date=2 June 2008 \|archive-url=https://web.archive.org/web/20170801092238/http://www.uninformed.org/?v=3&a=3 \|archive-date=1 August 2017 \|url-status=dead }}</ref> Skywing went on to publish a second report in January 2007 on bypassing KPP version 2,<ref>{{cite web \|url=http://uninformed.org/index.cgi?v=6&a=1 Line 246 ⟶ 275: \|publisher=Uninformed \|date=December 2006 \|~~accessdate~~access-date=2 June 2008 }}</ref> and a third report in September 2007 on KPP version 3.<ref>{{cite web \|url=http://uninformed.org/index.cgi?v=8&a=5 Line 253 ⟶ 282: \|publisher=Uninformed \|date=September 2007 \|~~accessdate~~access-date=2 June 2008 }}</ref> Also, in October 2006 security company [[Authentium]] developed a working method to bypass KPP.<ref>{{cite news \|first=Matt \|last=Hines \|title=Microsoft Decries Vista PatchGuard Hack \|url=http://www.eweek.com/~~article2~~c/~~0,1759,2037052,00.asp~~a/Security/Microsoft-Decries-Vista-PatchGuard-Hack \|publisher=[[eWEEK]] \|date=25 October 2006 \|access-date=2 April 2016 ~~\|accessdate=30 July 2007~~ }}</ref> Nevertheless, Microsoft has stated that they are committed to remove any flaws that allow KPP to be bypassed as part of its standard Security Response Center process.<ref>{{cite news \|last = Gewirtz \|first = David \|title = The great Windows Vista antivirus war \|url = http://www.outlookpower.com/issuesprint/issue200611/00001883.html \|publisher = OutlookPower \|year = 2006 \|~~accessdate~~access-date = 30 November 2006 \|url-status = dead \|archive-url = https://web.archive.org/web/20070904075535/http://www.outlookpower.com/issuesprint/issue200611/00001883.html \|archive-date = 4 September 2007 }}</ref> In keeping with this statement, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.<ref name="Introduction"/><ref name="Microsoft Security Advisory (914784)"/><ref name="Microsoft Security Advisory (932596)"/> ===Antitrust behavior=== In 2006, the [[European Commission]] expressed concern over Kernel Patch Protection, saying it was [[anticompetitive]].<ref>{{cite news \|first=Tom \|last=Espiner Line 282 ⟶ 314: \|publisher=silicon.com \|date=25 October 2006 \|~~accessdate~~access-date=30 November 2006 \|archive-url=https://web.archive.org/web/20070202190644/http://software.silicon.com/os/0,39024651,39163525,00.htm \|archive-date=2 February 2007 \|url-status=dead }}</ref> However, Microsoft's own antivirus product, [[Windows Live OneCare]], had no special exception to KPP. Instead, Windows Live OneCare used (and had always used) methods other than patching the kernel to provide virus protection services.<ref>{{cite web \|url=https://blogs.technet.com/security/archive/2006/08/12/446104.aspx \|title=Windows Vista x64 Security – Pt 2 – Patchguard \|~~accessdate~~access-date=11 March 2007 \|last=Jones \|first=Jeff Line 292 ⟶ 327: \|date=12 August 2006 \|work=Jeff Jones Security Blog \|archive-date=9 December 2008 \|archive-url=https://web.archive.org/web/20081209034856/http://blogs.technet.com/security/archive/2006/08/12/446104.aspx \|url-status=dead }}</ref> Still, for other reasons a x64 edition of Windows Live OneCare was not available until November 15, 2007.<ref>{{cite web \|url = http://windowsvistablog.com/blogs/windowsvista/archive/2007/11/14/upgrade-to-next-version-of-windows-live-onecare-announced-for-all-subscribers.aspx \|title = Upgrade to Next Version of Windows Live OneCare Announced for All Subscribers \|last = White \|first = Nick \|work = Windows Vista Team Blog \|publisher = [[Microsoft]] \|date = 14 November 2007 \|~~accessdate~~access-date = 14 November 2007 \|url-status = dead \|archive-url = https://web.archive.org/web/20080201162836/http://windowsvistablog.com/blogs/windowsvista/archive/2007/11/14/upgrade-to-next-version-of-windows-live-onecare-announced-for-all-subscribers.aspx \|archive-date = 1 February 2008 }}</ref> Line 307 ⟶ 348: ==External links== {{usurped\|1=[https://web.archive.org/web/20070217053224/http://www.windows-now.com/blogs/robert/archive/2006/08/12/PatchGuard-and-Symantecs-Complaints-About-Windows-Vista.aspx The Truth About PatchGuard: Why Symantec Keeps Complaining]}} [https://web.archive.org/web/20061124094344/http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx An Introduction to Kernel Patch Protection] [https://web.archive.org/web/20070205155710/http://www.microsoft.com/security/windowsvista/allchin.mspx Microsoft executive clarifies recent market confusion about Windows Vista Security] [http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx Kernel Patch Protection: Frequently Asked Questions] [https://blogs.technet.com/security/archive/2006/08/12/446104.aspx Windows Vista x64 Security – Pt 2 – Patchguard] {{Webarchive\|url=https://web.archive.org/web/20081209034856/http://blogs.technet.com/security/archive/2006/08/12/446104.aspx \|date=2008-12-09 }} '''Uninformed.org articles:''' [https://web.archive.org/web/20170801092238/http://www.uninformed.org/?v=3&a=3 Bypassing PatchGuard on Windows x64] [https://web.archive.org/web/20160602175644/http://www.uninformed.org/?v=6&a=1 Subverting PatchGuard Version 2] [https://web.archive.org/web/20160603002558/http://www.uninformed.org/?v=8&a=5 PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3] '''Working bypass approaches''' [http://~~www~~forum.~~codeproject~~cheatengine.~~com~~org/~~KB/vista-security/bypassing-patchguard~~viewtopic.~~aspx~~php?t=573311 AKPP ~~working driver to bypass PatchGuard 3~~Destroyer (including source code) - 2015] [http://~~fyyre~~www.~~ivory-tower~~codeproject.decom/~~txt~~KB/~~bootloader~~vista-security/bypassing-patchguard.~~txt~~aspx ~~Bypassing~~A working driver to bypass PatchGuard ~~with~~3 a(including ~~hex~~source code) - ~~editor~~2008] *[https://web.archive.org/web/20180502231259/http://fyyre.ru/vault/bootloader.txt Bypassing PatchGuard with a hex editor - 2009] '''Microsoft security advisories:'''