@thelinuxEXP I have had endpoint security engineers tell me that using these safe interfaces precludes some of the differentiating features of CrowdStrike Falcon and other similar endpoint tools. I’m extremely dubious that those features are worth the risk and added surface area exposed by the security and compliance probe as a kernel module in the first place.

Using a rootkit as the vehicle for compliance in all Fortune 500 companies seems like a bad idea a priori.