Security ramifications of Windows Kernel Patch Protection

Denis Nazarov Kaspersky Lab
Alexey Monastyrsky Kaspersky Lab

All security vendors are constantly trying to improve their malware detection capabilities. Since the beginning of their battle against malware, protection technology has evolved from simple static signatures to dynamic behaviour-based detection, heuristics and reputation, while operating systems served as the battlefield.

In this presentation we will compare the infection rate on 32-bit and 64-bit versions of Windows OS according to current detection statistics, review the pluses and minuses of Microsoft Kernel Patch Protection (KPP) technology and its role in protecting customers' computers against malware. We will demonstrate a number of real-life examples where highly polymorphic user-mode malware can be easily detected using behaviour analysis techniques. We will show that KPP effectively prevents the implementation of these techniques on Windows x64, lowering the bar for malware authors willing to move to 64 bits together with the users. We will also demonstrate how easily a Windows x86 rootkit can be adapted to 64 bits without loss of functionality despite the limitations established by KPP.

In anticipation of the upcoming release of Windows 8 we will analyse how new features of KPP introduced in this release will affect anti-malware protection capabilities of security products.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.