UPDATE:  It turns out that the Global Director of SophosLabs is Mark Harris, an old colleague from our days at McAfee.  I've asked Mark if I could interview him on the blog here to get some details about their HIPS solution, so stay tuned!

Sophos issued a press release today that I want to highlight for you.  Here's the bit I have the most admiration for:

"Symantec and McAfee may be struggling with HIPS because they haven't coded their solutions with high-spec Vista in mind," said Richard Jacobs, CTO of Sophos. "We've taken a different approach, by focusing on catching bad behaviour before it has a chance to occur. Additionally, we are building our technology by making use of supported Microsoft interfaces rather than by trying to subvert them. That's why we're ready for 64-bit Vista, and others aren't."

Sophos argues that its approach to HIPS technology has met with no problems on both the low-spec and high-spec versions of Windows Vista.  At first, I thought this was just clever marketing by Sophos, positioning their traditional antivirus and heuristics as a host intrustion prevention system.  However, I followed their HIPS link and it is a bit more than that - maybe a lot more than that.

They describe their technique as examining the executable code before it loads.  I think the basic theory goes like this:

  • traditional HIPS/behavior blocking products would hook the kernel and intercept system calls and stop bad behavior
  • Sophos instead just looks at the code to determine if those same calls are in the code, and if so, makes a similar determination based upon the code without hooking the system

I'm sure this is an oversimple explanation for a complex implementation, and I am sure it has pros and cons, but it seems like it could work and has the advantage of working on unloaded code.

Here is a screenshot of Sophos on Windows Vista as well:

Sophos Anti-Virus, including its HIPS functionality, has been designed for 64-bit Windows Vista


Basically, this is what I've been saying.  In spite of rhetoric to the contrary, there will be 3rd-party security products that provide additional security capabilities on both Windows Vista 32-bit and 64-bit systems.  Sophos offers one and here are some others on the Windows Vista Antivirus Partner page.