Comment on Microsoft to host security summit after CrowdStrike disaster
deegeese@sopuli.xyz 3 weeks agoRunning security products in kernel mode is precisely what caused this disaster.
Comment on Microsoft to host security summit after CrowdStrike disaster
deegeese@sopuli.xyz 3 weeks agoRunning security products in kernel mode is precisely what caused this disaster.
lud@lemm.ee 3 weeks ago
It needs that kind of access to fight advanced attacks. It would surprise me if similar EDR programs didn’t have similar access on Linux systems, for example.
deegeese@sopuli.xyz 3 weeks ago
No, you make a management API for security products that run in user space as root, you don’t use kernel modules.
lud@lemm.ee 3 weeks ago
Is that the way that EDR is implemented on Linux or are you guessing?
progandy@feddit.org 3 weeks ago
Currently, cloudstrike offers two methods for Linux: a kernel driver / module and a theoretically safer alternative using epbf (you could call that “kernel level scripting”). Ironically, they triggered a kernel bug using that more second option. They did not test all kernels they listed as compatible or something like that.