No 64-bit Windows Vista Security from <YourVendor> ?, Give Sophos a Try

UPDATE:  It turns out that the Global Director of SophosLabs is Mark Harris, an old colleague from our days at McAfee.  I’ve asked Mark if I could interview him on the blog here to get some details about their HIPS solution, so stay tuned!

Sophos issued a press release today that I want to highlight for you.  Here’s the bit I have the most admiration for:

“Symantec and McAfee may be struggling with HIPS because they haven’t coded their solutions with high-spec Vista in mind,” said Richard Jacobs, CTO of Sophos. “We’ve taken a different approach, by focusing on catching bad behaviour before it has a chance to occur. Additionally, we are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert them. That’s why we’re ready for 64-bit Vista, and others aren’t.”

Sophos argues that its approach to HIPS technology has met with no problems on both the low-spec and high-spec versions of Windows Vista.  At first, I thought this was just clever marketing by Sophos, positioning their traditional antivirus and heuristics as a host intrustion prevention system.  However, I followed their HIPS link and it is a bit more than that – maybe a lot more than that.

They describe their technique as examining the executable code before it loads.  I think the basic theory goes like this:

  • traditional HIPS/behavior blocking products would hook the kernel and intercept system calls and stop bad behavior
  • Sophos instead just looks at the code to determine if those same calls are in the code, and if so, makes a similar determination based upon the code without hooking the system

I’m sure this is an oversimple explanation for a complex implementation, and I am sure it has pros and cons, but it seems like it could work and has the advantage of working on unloaded code.

Here is a screenshot of Sophos on Windows Vista as well:

Sophos Anti-Virus, including its HIPS functionality, has been designed for 64-bit Windows Vista


Basically, this is what I’ve been saying.  In spite of rhetoric to the contrary, there will be 3rd-party security products that provide additional security capabilities on both Windows Vista 32-bit and 64-bit systems.  Sophos offers one and here are some others on the Windows Vista Antivirus Partner page.

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »