How about hook and native API ?

Prokash_Sinha-1 · March 14, 2009, 10:17pm

Don,

You are a very accomplished system software architect, and I don’t
discount your opinion. But don’t you think that there is an element of
“Marketing”? Who is/are going to throw the dirty laundry out in the public.

When I was in that business ( firewall, antivirus), I used to have
static ip from my local ISP, and my systems were crashing like anything,
if I did not have a firewall. Now a days, router does have a bit of it -
we sold / licensed to linksys ( way before cisco bought it )… So I’ve
been through this, I knew what we were doing, and when it comes to win16
family ( win95, Me etc), it was way too important… I don’t remember
the year, but I think it is 2000 or 2001 when I was visiting India,
people all over were using the zoneAlarm ( the free version)… And you
know, being a strong believer of Math and a person who backed out after
finshing 2/3 of Phd thesis, I did want to see what is the truth behind
it… All said, the systems goes down without it quite frequently.

So I guess I have to trust my experience and what I saw !!!

Also I had discussion with some very qualified and experienced
Architects - we all agreed that even if some securities are in the
hardware breaking would not be that difficult if a bunch of people get
their hands on it and do signal processing analysis…

But sure, I don’t like hooking. It’s a pain to resolve compatibility
issues, those bugs that shows up in a leap year or such.

-pro

Don Burn wrote:

Pro,

If that was only the case, too many of the secutity folks I have met
said it was easy (in fact mention starting with the regmon sources and
looking blank when someone asks did you pay sysinternals?), so why not do it
versus a file system filter? The other claim is that it gives them more
security than other schemes that work.

Yes there are times that it is needed, but I have seen too many
products that did it because the developers didn’t give a damm, and some of
them are well known firms.

Maxim_S_Shatskih · March 19, 2009, 6:49am

> If that was only the case, too many of the secutity folks I have met

said it was easy (in fact mention starting with the regmon sources and
looking blank when someone asks did you pay sysinternals?), so why not do it
versus a file system filter?

Hooking can lead to having 1 BSOD a day from the support line, with these bugs being absolutely unfixable.

The bosses will tell the development to fix the bug. The development will spend time and ensure this is unfixable and the answer is “I do not know”.

This is because the bug is:

a) not reproducible at all except by deploying a complex testing environment and running some stress tests for a week
b) even when reproducible, the picture is absolutely random like “some crash deep inside ntfs.sys which referenced the invalid SCB”.
c) the bug is an interop, occurs only in presense of the other software (but rather common one). BTW - I would say that 90% of in-the-field support issues are interops.

So, after losing, say, a month of futile bugfixing attempts, the development will say to the bosses “we do not know”.

This is sometimes OK if the case is rare anyway and does not lead to large losses of customers (after all - maybe the machine in question is misinstalled, polluted by installation/removal of some other dirty software? not on servers in the world are perfectly maintained). But if this is an urgent case and the product already has a reputation of being unstable and prone to crash the OS - then this is worse and can mean losses to the whole company.

Also note that such bugfixing efforts costs lots of time subtracted from the development of the new features, i.e. make the project timeline unpredictable by random delays due to bugfixing efforts, sometimes futile ones.

Most PMs do hate such things.

For instance, the whole idea of unit testing and TDD is the methodology targeted to avoid this particular problem (more controllable code quality at any possible time moment). But with hooking product, unit testing/TDD will not help. I would even say thay using TDD on a hooking security product is a futile waste of time.

With the hooking product, the company is immediately relying on a group (or even a single) “egghead”, and the quality of the product is nearly 100% determined by the guys’s ability to research and fix the bugs, including the interop ones. This is what any top manager/entrepreneur/PM should understand about such security software.

The other claim is that it gives them more security than other schemes that work.

Yes. At the expense of reducing the system stability a lot.

For most of cases, extra bit of security protection is lesser important then the stability. That’s why I personally would never use Kaspersky’s resident monitoring antivirus (only the scanners).

–
Maxim S. Shatskih
Windows DDK MVP
xxxxx@storagecraft.com
http://www.storagecraft.com