at a very low level, and Microsoft's programmers absolutely hate that. Certain Microsoft technologies like PatchGuard, found in 64-bit editions of Windows (64-bit Windows 7 has some security advantages over 32-bit Windows 7), block both malefactors and would-be protectors from access to the kernel. Yet Microsoft itself hasn't provided the level of security that third-party security software offers. What to do?

The Windows Filtering Platform (WFP) is intended as a solution to this problem. According to Microsoft's At-a-Glance document, "Third-party firewall products can build on the core capabilities of Windows Firewall to add custom features, and can selectively turn parts of the Windows Firewall on or off, enabling you to choose which software firewall you want to use and have it coexist with Windows Firewall."

But is this actually useful to the security vendors? Will they use it? I asked around and got a fascinating array of responses, listed here alphabetically by company.

BitDefender LLC

Iulian Costache, product development manager: "We are using it at this moment in the Windows 7 installations; however, we encountered major memory leaks. The bug proved to be from Microsoft's side (confirmed by them). Therefore we don't have an estimate on when the issue will be fixed. Due to this issue, we temporarily replaced the new WFP driver with the old TDI one, until the problem is solved from Microsoft's part."

Check Point Software Technologies Ltd

Mirka Janus, PR manager: "We started using Windows Filtering Platform with . We are using it on Windows 7 as well. It is a supported interface, which is good, but any malware or incompatible driver could compromise a security product that relies on this layer alone for security. ZoneAlarm has always filtered at two layers, the network connection and the packet level. Starting with Vista, Microsoft offered WFP as a supported way to filter network connections. Starting with Windows 7 SP1, Microsoft will expand WFP to include packet filtering.

"Using a supported API means better stability and fewer BSODs. Many drivers can register and each driver writer doesn't have to worry about compatibility with others. If any one driver says to block, no other registrant can override that block decision. On the other hand, an uncooperative driver could thwart the cooperative design...bypassing all other registrants. We don't rely on WFP alone for network security."

F-Secure Corporation

Mikko Hypponen, chief research officer: "For some reason, WFP has never become very popular with security vendors, but we've been using it for quite a while, and we've been happy with it."

McAfee, Inc.

Ahmed Sallam, chief software architect, Software Architecture & Strategy: "Windows Filtering Platform is a more powerful and flexible network filtering interface than the previous NDIS-based interface. McAfee is committed to using the Windows Filtering Platform in its security products. It is officially documented by Microsoft and an improved network compared to the 'undocumented' methods for hooking into the TDI drivers. Security vendors, including McAfee, were not involved in the development of the interface definitions and primitives.

"While the Windows Filtering Platform has positive features, it can also be taken advantage of by cybercriminals. The platform could allow malware to hook earlier into the Windows kernel-mode networking stack. Windows 64-bit kernel mode drivers have to be digitally signed which prevents malware from loading into the kernel, but a digital signature is not mandatory on the 32-bit versions. Digital signature is a reasonable mechanism in theory, but in reality, malware authors can still obtain a digital certificate to sign their malware binaries."

Panda Security

Pedro Bustamante, senior research advisor: "Even though we are keeping an eye on it, we are not currently using the WFP platform. The main shortcomings we see with WFP are the following: 1. WFP lacks the ability create a technology which combines different techniques to maximize protection. The technology is of no use if we cannot look at the packets that are coming in and out of the machine. Also it should serve as a sensor to other protection technologies. None of these abilities are provided by WFP. 2. WFP is only supported by Vista[link] and above. There is no backward compatibility and therefore you'd have to maintain two different technologies with very little or no benefit. 3. Last but not least, WFP is a fairly new platform and we prefer to rely on a more mature and proven technology."

Symantec Corp.

Dan Nadir, director product management consumer products: "Because of the newness of WFP, our products do not currently rely on it. However, over time, we expect that it will make sense to migrate to it as the older interfaces we use do not or will not provide the full functionality we require, including Microsoft Logo Certification. WFP is good because it was specifically designed to accommodate interoperability between multiple third-party vendors. In principle, there should be fewer interoperability issues in the future. WFP is also good because it is integrated with Microsoft's Network Diagnostic Framework. This is extremely useful because it makes it a lot easier for users to discover if specific software is interfering with network traffic. Lastly, WFP should result in better performance and reliability because it avoids emulation and issues with conflicts or driver stability.

"On the other hand, WFP may introduce the same kind of problems that exist with any framework: Vendors who rely on WFP cannot address vulnerabilities within WFP itself nor can they expand beyond the specific services offered by WFP. As a security company, the concern also exists that because many products will rely on WFP, malware writers could theoretically attempt to attack WFP itself. "

Trend Micro Inc.

Dale Liao, research director: "The greatest advantage is the compatibility with the OS. Also, standard firewall has become the commodity. We can focus more on value-added features on top of the standard firewall to benefit our customers. The bad is if WFP has any defect and security bug, we have to rely on MS to provide a hotfix."

WFP: The Bottom

A solid majority of the vendors I queried are using WFP now, some in parallel with other technologies. They like the interoperability, the fact that it's documented and "official," and its supposed stability. On the negative side, if all vendors rely on WFP it becomes a single point of failure, and they'd have to rely on Microsoft for the fix. And it doesn't yet offer packet-level filtering.

The big hurdle is that WFP isn't in , so any vendor that wants to support XP will have to run two parallel development tracks. As XP fades and WFP evolves I anticipate more vendors will rely on it.

Windows 7 incorporates quite a few other security-related features; I'll look at those next.