• deegeese
    link
    fedilink
    English
    arrow-up
    1
    ·
    3 months ago

    Running security products in kernel mode is precisely what caused this disaster.

    • lud@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      3 months ago

      It needs that kind of access to fight advanced attacks. It would surprise me if similar EDR programs didn’t have similar access on Linux systems, for example.

      • deegeese
        link
        fedilink
        English
        arrow-up
        1
        ·
        3 months ago

        No, you make a management API for security products that run in user space as root, you don’t use kernel modules.

        • lud@lemm.ee
          link
          fedilink
          English
          arrow-up
          1
          ·
          3 months ago

          Is that the way that EDR is implemented on Linux or are you guessing?

          • progandy@feddit.org
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            3 months ago

            Currently, cloudstrike offers two methods for Linux: a kernel driver / module and a theoretically safer alternative using epbf (you could call that “kernel level scripting”). Ironically, they triggered a kernel bug using that second option. They did not test all kernels they listed as compatible or something like that.