Content deleted Content added
m Disambiguating links to Symantec (link changed to NortonLifeLock; link changed to NortonLifeLock; link changed to NortonLifeLock; link changed to NortonLifeLock) using DisamAssist. |
GreenC bot (talk | contribs) Reformat 1 archive link. Wayback Medic 2.5 per WP:USURPURL and JUDI batch #20 |
||
| (16 intermediate revisions by 11 users not shown) | |||
Line 1:
{{Short description|Security feature of Microsoft Windows}}
[[Image:Kernel Layout.svg|thumb|200px|The [[Kernel (
'''Kernel Patch Protection''' ('''KPP'''), informally known as '''PatchGuard''', is a feature of 64-bit ([[x86-64|x64]]) editions of [[Microsoft Windows]] that prevents patching the [[Kernel (
|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx
|title=Kernel Patch Protection: Frequently Asked Questions
|publisher=[[Microsoft]]
|date=22 January 2007
|
}}</ref>
"Patching the kernel" refers to unsupported modification of the central component or
Since patching the kernel is possible in 32-bit (x86) editions of Windows, several [[antivirus software]] developers use kernel patching to implement antivirus and other security services. These techniques will not work on computers running x64 editions of Windows. Because of this, Kernel Patch Protection resulted in antivirus makers having to redesign their software without using kernel patching techniques.
However, because of the design of the Windows kernel, Kernel Patch Protection cannot completely prevent kernel patching.<ref name="skape"/><ref>{{Citation |last=dushane |title=PatchGuardBypass |date=2023-04-03 |url=https://github.com/AdamOron/PatchGuardBypass |access-date=2023-04-03}}</ref> This has led to criticism that since KPP is an imperfect defense, the problems caused to antivirus vendors outweigh the benefits because authors of [[malware|malicious software]] will simply find ways around its defenses.<ref name="Samenuk"/><ref name="Gewirtz"/> Nevertheless, Kernel Patch Protection can still prevent problems of system stability, reliability, and performance caused by legitimate software patching the kernel in unsupported ways.
==Technical overview==
Line 23 ⟶ 24:
|publisher=Uninformed
|date=September 2007
|
|archive-url=https://web.archive.org/web/20160303171005/http://uninformed.org/index.cgi?v=8&a=5&p=2
}}</ref> Device drivers are expected to not modify or ''patch'' core system structures within the kernel.<ref name="KPP FAQ"/> However in [[x86]] editions of Windows, Windows does not enforce this expectation. As a result, some x86 software, notably certain security and [[antivirus]] programs, were designed to perform needed tasks through loading drivers that modify core kernel structures.<ref name="Introduction"/><ref name="Fathi">{{cite web▼
|archive-date=3 March 2016
|url-status=dead
▲}}</ref> Device drivers are expected to not modify or ''patch'' core system structures within the kernel.<ref name="KPP FAQ"/> However, in [[x86]] editions of Windows, Windows does not enforce this expectation. As a result, some x86 software, notably certain security and [[antivirus software|antivirus]] programs, were designed to perform needed tasks through loading drivers that modify core kernel structures.<ref name="Introduction"/><ref name="Fathi">{{cite web
|url=https://www.theguardian.com/technology/2006/sep/28/viruses.security
|title=Antivirus vendors raise threats over Vista in Europe
|last=Schofield
|first=Jack
|
|date=28 September 2006
|
}} "This has never been supported and has never been endorsed by us. It introduces insecurity, instability, and performance issues, and every time we change something in the kernel, their product breaks." —Ben Fathi, corporate vice president of Microsoft's security technology unit</ref>
In [[x86-64|x64]] editions of Windows, Microsoft began to enforce restrictions on what structures drivers can and cannot modify. Kernel Patch Protection is the technology that enforces these restrictions. It works by periodically checking to make sure that protected system structures in the kernel have not been modified. If a modification is detected, then Windows will initiate a [[Fatal system error|bug check]] and shut down the system,<ref name="Introduction"/><ref name="Patching Policy">{{cite web
|url=http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx
|title=Patching Policy for x64-Based Systems
|publisher=[[Microsoft]]
|date=22 January 2007
|
}}</ref> with a [[Blue
Prohibited modifications include:<ref name="Patching Policy"/>
* Modifying [[System call|system service]] descriptor tables
* Modifying the [[interrupt descriptor table]]
* Modifying the [[Global Descriptor Table|global descriptor table]]
* Using kernel [[Stack (abstract data
* Modifying or patching code contained within the kernel itself,<ref name="Patching Policy"/> or the [[Hardware abstraction layer|HAL]] or [[Network Driver Interface Specification|NDIS]] kernel libraries<ref>{{cite web
|url=http://uninformed.org/index.cgi?v=3&a=3&p=7
Line 52 ⟶ 56:
|author=skape
|author2=Skywing
|date=December 2005
|
|archive-url=https://web.archive.org/web/20160817074740/http://uninformed.org/index.cgi?v=3&a=3&p=7
|archive-date=17 August 2016
|url-status=dead
}}</ref>
Line 64 ⟶ 71:
|publisher=Uninformed
|date=January 2007
|
|archive-url=https://web.archive.org/web/20160304025651/http://uninformed.org/index.cgi?v=6&a=1&p=25
|archive-date=4 March 2016
|url-status=dead
}}</ref>
Line 73 ⟶ 83:
|author=skape
|author2=Skywing
|date=December 2005
|
|archive-url=https://web.archive.org/web/20160817134554/http://uninformed.org/index.cgi?v=3&a=3&p=3
}}</ref> KPP does however present a significant obstacle to successful kernel patching. With highly [[obfuscated code]] and misleading symbol names, KPP employs [[security through obscurity]] to hinder attempts to bypass it.<ref name="Introduction"/><ref>{{cite web▼
|archive-date=17 August 2016
|url-status=dead
▲}}</ref> KPP does however present a significant obstacle to successful kernel patching. With highly [[obfuscation (software)|obfuscated code]] and misleading symbol names, KPP employs [[security through obscurity]] to hinder attempts to bypass it.<ref name="Introduction"/><ref>{{cite web
|url=http://uninformed.org/index.cgi?v=6&a=1&p=10
|title=Misleading Symbol Names
Line 83 ⟶ 96:
|publisher=Uninformed
|date=December 2006
|
|archive-url=https://web.archive.org/web/20160303171036/http://uninformed.org/index.cgi?v=6&a=1&p=10
|archive-date=3 March 2016
|url-status=dead
}}</ref> Periodic updates to KPP also make it a "moving target", as bypass techniques that may work for a while are likely to break with the next update. Since its creation in 2005, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.<ref name="Introduction"/><ref name="Microsoft Security Advisory (914784)">{{cite web
|url=http://www.microsoft.com/technet/security/advisory/914784.mspx
Line 91 ⟶ 107:
|publisher=Microsoft
|date=June 2006
|
}}</ref><ref name="Microsoft Security Advisory (932596)">{{cite web
|url=http://www.microsoft.com/technet/security/advisory/932596.mspx
Line 99 ⟶ 115:
|publisher=Microsoft
|date=August 2007
|
}}</ref>
Line 107 ⟶ 123:
|url=http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx
|title=An Introduction to Kernel Patch Protection
|
|last=Field
|first=Scott
Line 117 ⟶ 133:
|url=http://www.microsoft.com/security/windowsvista/allchin.mspx
|title=Microsoft executive clarifies recent market confusion about Windows Vista Security
|
|last=Allchin
|first=Jim
|
|date=20 October 2006
|publisher=[[Microsoft]]
Line 128 ⟶ 144:
Microsoft's Kernel Patch Protection FAQ further explains:
{{
==Criticisms==
===Third-party applications===
Some computer security software, such as [[McAfee]]'s [[McAfee VirusScan]] and [[
|url=http://uninformed.org/index.cgi?v=4&a=4&p=10
|author=Skywing
Line 140 ⟶ 156:
|publisher=Uninformed
|date=June 2006
|
}}</ref> This kind of antivirus software will not work on computers running x64 editions of Windows because of Kernel Patch Protection.<ref>{{cite news
|first=Elizabeth
|last=Montalbano
Line 148 ⟶ 164:
|publisher=[[PC World (magazine)|PC World]]
|date=6 October 2006
|
|archive-url=https://web.archive.org/web/20070405234445/http://www.pcworld.in/news/index.jsp/artId=4587538
|archive-date=5 April 2007
|url-status=dead
}}</ref> Because of this, McAfee called for Microsoft to either remove KPP from Windows entirely or make exceptions for software made by "trusted companies" such as themselves.<ref name="Samenuk">{{cite web
|url=http://news.softpedia.com/news/Microsoft-Increasing-Security-Risk-with-Vista-37014.shtml
Line 156 ⟶ 175:
|publisher=[[McAfee]]
|date=28 September 2006
|
}}</ref>
Line 162 ⟶ 181:
|url=http://www.symantec.com/enterprise/products/sysreq.jsp?pcid=1008&pvid=805_1
|title=Symantec AntiVirus Corporate Edition: System Requirements
|
|year=2006
|publisher=[[NortonLifeLock|Symantec]]
|archive-url=https://web.archive.org/web/20070515200615/http://www.symantec.com/enterprise/products/sysreq.jsp?pcid=1008&pvid=805_1
|archive-date=15 May 2007
|url-status=dead
}}</ref> and Norton 2010 range and beyond<ref>{{cite web
|url=http://us.norton.com/internet-security
|title=Symantec Internet Security product page
|
|year=2011
|publisher=[[NortonLifeLock|Symantec]]
}}</ref> worked on x64 editions of Windows despite KPP's restrictions, although with less ability to provide protection against zero-day malware.
Antivirus software made by competitors [[ESET]],<ref>{{Cite web|url=http://www.eset.com/products/64bit.php|title=High-performance threat protection for the next-generation of 64-bit computers
|url=https://imperia.trendmicro-europe.com/us/products/enterprise/officescan-client-server-edition/system-requirements/index.html
|title=Minimum System Requirements
|publisher=[[Trend Micro]] USA
|
|archive-date=8 February 2012
|archive-url=https://web.archive.org/web/20120208124040/https://imperia.trendmicro-europe.com/us/products/enterprise/officescan-client-server-edition/system-requirements/index.html
|url-status=dead
}}</ref> [[Grisoft]] AVG,<ref>{{cite web
|url=http://www.grisoft.com/doc/324/us/crp/3
|title=AVG Anti-Virus and Internet Security - Supported Platforms
|publisher=[[Grisoft]]
|
|
|
|url-status=dead
}}</ref> [[Avast Software|avast!]], [[Avira|Avira Anti-Vir]] and [[Sophos]] do not patch the kernel in default configurations, but may patch the kernel when features such as "advanced process protection" or "prevent unauthorized termination of processes" are enabled.<ref>{{cite news
Line 192 ⟶ 217:
|publisher = vnunet.com
|date = 23 October 2006
|
|url-status = dead
|
|
}}</ref>
Line 204 ⟶ 229:
|title=Researcher: PatchGuard hotfix stitches up benefit to Microsoft
|date=19 January 2007
|
|author=McMillan, Robert
|publisher=[[InfoWorld]]
}}</ref> Instead, Microsoft worked with third-party companies to create new [[API|Application Programming
|url = http://technet2.microsoft.com/WindowsVista/en/library/005f921e-f706-401e-abb5-eec42ea0a03e1033.mspx?mfr=true
|title = Notable Changes in Windows Vista Service Pack 1
|publisher = [[Microsoft]]
|year = 2008
|
|url-status = dead
|
|
}}</ref>
Line 222 ⟶ 247:
|last=Gewirtz
|first=David
|
|title=The great Windows Vista antivirus war
|url=http://zatz.com/outlookpower/article/the-great-windows-vista-antivirus-war/
|publisher=OutlookPower
|year=2006
|
|archive-url=https://web.archive.org/web/20130201170559/http://zatz.com/outlookpower/article/the-great-windows-vista-antivirus-war/
|archive-date=1 February 2013
|url-status=dead
}} "The system's already vulnerable. People have already hacked into PatchGuard. System is already vulnerable no matter what. PatchGuard has a chilling effect on innovation. The bad guys are always going to innovate. Microsoft should not tie the hands of the security industry so they can't innovate. We're concerned about out-innovating the bad guys out there." —Cris Paden, Manager on the Corporate Communication Team at Symantec</ref>
Line 235 ⟶ 263:
|author=skape
|author2=Skywing
|date=1 December 2005
|
|archive-url=https://web.archive.org/web/20170801092238/http://www.uninformed.org/?v=3&a=3
|archive-date=1 August 2017
|url-status=dead
}}</ref> Skywing went on to publish a second report in January 2007 on bypassing KPP version 2,<ref>{{cite web
|url=http://uninformed.org/index.cgi?v=6&a=1
Line 244 ⟶ 275:
|publisher=Uninformed
|date=December 2006
|
}}</ref> and a third report in September 2007 on KPP version 3.<ref>{{cite web
|url=http://uninformed.org/index.cgi?v=8&a=5
Line 251 ⟶ 282:
|publisher=Uninformed
|date=September 2007
|
}}</ref> Also, in October 2006 security company [[Authentium]] developed a working method to bypass KPP.<ref>{{cite news
|first=Matt
Line 259 ⟶ 290:
|publisher=[[eWEEK]]
|date=25 October 2006
|
}}</ref>
Line 269 ⟶ 300:
|publisher = OutlookPower
|year = 2006
|
|url-status = dead
|
|
}}</ref> In keeping with this statement, Microsoft has so far released two major updates to KPP, each designed to break known bypass techniques in previous versions.<ref name="Introduction"/><ref name="Microsoft Security Advisory (914784)"/><ref name="Microsoft Security Advisory (932596)"/>
Line 283 ⟶ 314:
|publisher=silicon.com
|date=25 October 2006
|
|archive-url=https://web.archive.org/web/20070202190644/http://software.silicon.com/os/0,39024651,39163525,00.htm
|archive-date=2 February 2007
|url-status=dead
}}</ref> However, Microsoft's own antivirus product, [[Windows Live OneCare]], had no special exception to KPP. Instead, Windows Live OneCare used (and had always used) methods other than patching the kernel to provide virus protection services.<ref>{{cite web
|url=https://blogs.technet.com/security/archive/2006/08/12/446104.aspx
|title=Windows Vista x64 Security – Pt 2 – Patchguard
|
|last=Jones
|first=Jeff
Line 293 ⟶ 327:
|date=12 August 2006
|work=Jeff Jones Security Blog
|archive-date=9 December 2008
|archive-url=https://web.archive.org/web/20081209034856/http://blogs.technet.com/security/archive/2006/08/12/446104.aspx
|url-status=dead
}}</ref> Still, for other reasons a x64 edition of Windows Live OneCare was not available until November 15, 2007.<ref>{{cite web
|url = http://windowsvistablog.com/blogs/windowsvista/archive/2007/11/14/upgrade-to-next-version-of-windows-live-onecare-announced-for-all-subscribers.aspx
Line 301 ⟶ 338:
|publisher = [[Microsoft]]
|date = 14 November 2007
|
|url-status = dead
|
|
}}</ref>
==References==
{{Reflist|2}}
==External links==
*{{usurped|1=[https://web.archive.org/web/20070217053224/http://www.windows-now.com/blogs/robert/archive/2006/08/12/PatchGuard-and-Symantecs-Complaints-About-Windows-Vista.aspx The Truth About PatchGuard: Why Symantec Keeps Complaining]}}
*[https://web.archive.org/web/20061124094344/http://blogs.msdn.com/windowsvistasecurity/archive/2006/08/11/695993.aspx An Introduction to Kernel Patch Protection]
*[https://web.archive.org/web/20070205155710/http://www.microsoft.com/security/windowsvista/allchin.mspx Microsoft executive clarifies recent market confusion about Windows Vista Security]
*[http://www.microsoft.com/whdc/driver/kernel/64bitpatch_FAQ.mspx Kernel Patch Protection: Frequently Asked Questions]
*[https://blogs.technet.com/security/archive/2006/08/12/446104.aspx Windows Vista x64 Security – Pt 2 – Patchguard] {{Webarchive|url=https://web.archive.org/web/20081209034856/http://blogs.technet.com/security/archive/2006/08/12/446104.aspx |date=2008-12-09 }}
'''Uninformed.org articles:'''
*[https://web.archive.org/web/20170801092238/http://www.uninformed.org/?v=3&a=3 Bypassing PatchGuard on Windows x64]
*[https://web.archive.org/web/20160602175644/http://www.uninformed.org/?v=6&a=1 Subverting PatchGuard Version 2]
*[https://web.archive.org/web/20160603002558/http://www.uninformed.org/?v=8&a=5 PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3]
'''Working bypass approaches'''
*[http://forum.cheatengine.org/viewtopic.php?t=573311 KPP Destroyer (including source code) - 2015]
*[http://www.codeproject.com/KB/vista-security/bypassing-patchguard.aspx A working driver to bypass PatchGuard 3 (including source code) - 2008]
*[https://web.archive.org/web/20180502231259/http://fyyre.ru/vault/bootloader.txt Bypassing PatchGuard with a hex editor - 2009]
'''Microsoft security advisories:'''
| |||