Matthew Conover from Symantec has examined the preliminary version and described how the new security mechanism intended to protect Windows from things like rootkits actually functions in the kernel. Among other measures, the kernel conducts constant integrity checks and can be set to load only signed drivers. The PatchGuard also protects the data structure of the kernel on 64 bit systems. User mode applications are furthermore provided no direct access to the physical storage space. TPM-ready hardware can optionally also perform a secure boot.
Conover examined the functions individually and looked for weaknesses. Among other items, he has described a way to disable the certificate testing by patching the system files. Conover also criticised that the new kernel function will make the integration of third-party security products more difficult.
- Assessment of Vista Kernel Mode Security by Matthew Conover, Symantec