Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun

The Solution

KAV's anti-virus software relies upon many unsafe kernel-mode hacks that put system stability in jeopardy. Removing unsafe kernel mode hacks like patching non-exported kernel functions or hooking various system services without parameter validation is the first step towards fixing the problem.

Many of the operations where KAV uses hooking or other unsafe means can also be accomplished using documented and safe APIs and conventions that are well-described in the Windows Device Driver Kit (DDK) and Installable File System Kit (IFS Kit). It would behoove the KAV programmers to take the time to read and understand the documented way of doing things in the Windows kernel instead of taking a quite literally hack-and-slash approach that leaves the system at risk of crashes and potentially even privilege escalation.

Many of the unsafe practices relied upon by KAV are blocked by PatchGuard on x64 and will make it significantly harder to release a 64-bit version of KAV's anti-virus software (which will become increasingly important as computers are sold with x64 support and run x64 Windows by default). Because 32-bit kernel drivers cannot be loaded on 64-bit Windows, KAV will need to port their driver to x64 and deal with PatchGuard. Additionally, assumptions that end user computers will be uniprocessor are fast becoming obsolete, as most new systems sold today support HyperThreading or multiple cores.