Kernel mode hooks or user mode hooks – what’s best for the firewall

[Mikhail]

David Matousek, an independent security analyst, has released a new tool called FPR to test the ability of firewalls to protect against data theft techniques. The idea behind this tool is to undo changes in Windows made by firewalls before launching a leaktest.

While Outpost Firewall Pro version 4.0 (971.584.079) has passed all previously-available leaktests, it was unable to defeat the hacking technique used in FPR tool – but we still placed 5th of the 21 firewalls tested. Every instance like this is a reminder that we must constantly be on our guard against new and dangerous hacking techniques – what is developed in a lab one day may be in the wild the next day. So we have updated Outpost’s Anti-Leak module to block this new potential vulnerability before it can be used in any malware. This update is in beta now and will be available to all licensed Outpost Firewall Pro v4 users very soon.

In his test result analyses, Matousek claims that Agnitum uses user mode hooks instead of kernel mode hooks, and is therefore cheating. Since this claim is absolutely untrue, we felt it was important for us to explain what is going on here.

“User mode hooks” is a term referring to an interception technique used by security software against viruses, spyware, Trojans and other malware. User mode hooks cannot provide absolute 100% protection – there are ways to bypass them as was done by the FPR tool against Outpost.

“Kernel mode hooks” refers to another method of interception which creates a barrier at a lower system level. What Mr. Matousek omits to mention is that kernel mode hooks can also be bypassed, so this approach cannot provide 100% protection either.

The relative merits of both approaches are discussed in more detail in a new Agnitum TechNote, available below.

So, what this means is that security software developers cannot rely solely on only one technique to protect end users from malware. We don’t agree that the “kernel mode hooks” approach is better than the “user mode hooks” approach; it is our belief that a blend of the two techniques is the most effective way to deliver robust firewall protection.

This is what we are doing in Outpost Firewall Pro and this is why we believe our approach is more flexible and provides better real-world security for our customers. To learn more about Agnitum’s approach to User Mode and Kernel Mode security, read attached TechNote