Hacker News new | past | comments | ask | show | jobs | submit login

But why does a signature database update have to mess with the kernel in any kind of way? Shouldn't such a database stay in the user land?



The scanner is a Ring 0[0] program. Windows only has 2 options 0 and 3. 3 won't work for any kind of security scanners, so they're forced to use 0.

The proper place would be Ring 1, which doesn't exist on Windows.

And being a kernel-level operation, it has the capability to crash the whole system before the actual OS has any chance to intervene.

[0] https://en.wikipedia.org/wiki/Protection_ring


Why is so?


All modern OSes only use ring 0 and 3. Intel is considering removing rings 1 and 2 in a future revision for that reason: https://www.intel.com/content/www/us/en/developer/articles/t...


Historical reasons. Windows NT was designed to support architectures with only two privilege rings.


That's a question for Microsoft OS architects


Because kernel needs to parse the data in some way and that parser apparently was broken enough. Whether it could be done in a more resilient manner, I don't know, you need to remember that antivirus works in hostile environment and can't necessarily trust userspace, so probably they need to verify signatures and parse payload in the kernel space.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: