|
Top-level
@thelinuxEXP that’s because they are using eBPF now. But Windows now has dtrace and AMSI. CrowdStrike doesn’t use those. Instead, it injects itself into the kernel. Microsoft can’t force CrowdStrike to use the safe interfaces. If you are in the kernel and crash the system that’s on you. 3 comments
@thelinuxEXP my guess is that Linux server admins had the political clout to force a change. Windows had AMSI for something like 20+ years. dtrace for about 5 years. There was a technology that Microsoft wanted to use to protect the kernel integrity that the EC blocked because security vendors brought a complaint. In my company Windows is only allowed in a VM, FWIW. I think Microsoft has painted themselves into a corner with their infinite backward compatibility and bad legacy decisions. @thelinuxEXP I have had endpoint security engineers tell me that using these safe interfaces precludes some of the differentiating features of CrowdStrike Falcon and other similar endpoint tools. I’m extremely dubious that those features are worth the risk and added surface area exposed by the security and compliance probe as a kernel module in the first place. Using a rootkit as the vehicle for compliance in all Fortune 500 companies seems like a bad idea a priori. |
Gregory's Server
@breiter Ah yeah, didn’t know Windows has a similar thing now. Strange that Crowdstrike didn’t use it, when they made the move for Linux!
Anyway, the finger pointing at the EU is ridiculous. If they don’t want to blame themselves (I still refuse to believe there’s nothing MS could do to handle this type of problem more gracefully), blame Crowdstrike.