UPDATE: It turns out that the Global Director of SophosLabs is Mark Harris, an old colleague from our days at McAfee. I’ve asked Mark if I could interview him on the blog here to get some details about their HIPS solution, so stay tuned!
Sophos issued a press release today that I want to highlight for you. Here’s the bit I have the most admiration for:
“Symantec and McAfee may be struggling with HIPS because they haven’t coded their solutions with high-spec Vista in mind,” said Richard Jacobs, CTO of Sophos. “We’ve taken a different approach, by focusing on catching bad behaviour before it has a chance to occur. Additionally, we are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert them. That’s why we’re ready for 64-bit Vista, and others aren’t.”
Sophos argues that its approach to HIPS technology has met with no problems on both the low-spec and high-spec versions of Windows Vista. At first, I thought this was just clever marketing by Sophos, positioning their traditional antivirus and heuristics as a host intrustion prevention system. However, I followed their HIPS link and it is a bit more than that – maybe a lot more than that.
They describe their technique as examining the executable code before it loads. I think the basic theory goes like this:
- traditional HIPS/behavior blocking products would hook the kernel and intercept system calls and stop bad behavior
- Sophos instead just looks at the code to determine if those same calls are in the code, and if so, makes a similar determination based upon the code without hooking the system
I’m sure this is an oversimple explanation for a complex implementation, and I am sure it has pros and cons, but it seems like it could work and has the advantage of working on unloaded code.
Here is a screenshot of Sophos on Windows Vista as well:
Basically, this is what I’ve been saying. In spite of rhetoric to the contrary, there will be 3rd-party security products that provide additional security capabilities on both Windows Vista 32-bit and 64-bit systems. Sophos offers one and here are some others on the Windows Vista Antivirus Partner page.