Today's computer systems commonly employ operating systems that allow a process (software module) to run in either a user-mode or a kernel-mode. Generally speaking, an operating system will not allow the process to perform certain actions when in the user-mode; for example, prevent access to a particular block of memory or prevent an attempt to modify certain data. However, when the process is in the kernel-mode the operating system generally does not place any restrictions on the actions performed by the process; for instance, the process can access a block of memory, which in the user-mode would not be possible.
Because a process operating in the kernel-mode on a computer system generally does not have any restrictions placed on its actions, it is of importance that a process operating in the kernel-mode is closely scrutinized to ensure that the integrity of the computer system is not compromised. There are numerous software packages on the market that scrutinize processes in the kernel-mode by analyzing their actions. However, these software packages have been designed to operate in the kernel-mode when analyzing the actions. Unfortunately, this not only makes the software packages relatively complex, but also has the potential to give rise to significant compatibility problems with other security software, and in some cases, standard software applications.
For example, traditional antivirus and other computer security programs/systems, which are based on standard specifications of the operating system, such as standard File System Filtering model (based on Installable File System I/O), have inherently limited abilities of monitoring and controlling activities of the underlying operating system. As result, traditional security software systems have a very limited and crude view of the operating system, and they are not capable of seeing a majority of extremely important activities which happen inside operating system in runtime. This lack of visibility causes traditional security software systems to miss a significant portion of the important activities. Furthermore, such traditional security software systems are limited in how many and what type of security measures they are capable of deploying. This is because the underlying operating system standard mechanisms (e.g., standard File System Filtering model) provide only a limited number of predefined control points at predefined locations, for use by security software to intercept, filter, monitor, and handle in order to deploy and enforce security measures.
Another drawback of standard operating system specifications such as standard File. System Filtering model is that the standard specifications are a contributing factor to numerous interoperability, incompatibility, performance degradation, and system instability problems that traditional security software products have been widely vulnerable to. These problems are especially evident when different security products from different security vendors are installed and running on the same computer at the same time. These problems arise because different kernel-mode software from one security vendor basically must contend with kernel-mode software from other security vendors for the same limited number of predefined control points at predefined locations within the underlying operating system.
Another drawback is that traditional antivirus and other computer security software have inherently limited abilities of enforcing any deployed security measures. This is because the locations and the communication protocols of the control points mentioned above are specified by standards of the underlying operating system. Technical details about the underlying operating system are well known and well documented through publicly available technical documentation. Authors of modern malware (e.g., hackers) are intimately familiar with the underlying operating system, and they study its technical documentation very closely. Therefore, they are in a good position of knowing what, where, which, and how computer security vendors deploying and enforcing their security measures inside the underlying operating system, in both in principle and in practice. Modern malware authors have benefited from a significant head-start and considerable flexibility in choosing the most effective methods and techniques of penetrating, blinding, bypassing, and subverting both the underlying operating system and computer security software.