• JustinA
    link
    fedilink
    English
    arrow-up
    1
    ·
    edit-2
    4 months ago

    It’s a design flaw in windows to require a kernel driver for these kinds of tools.

    Similar tools in Linux like tcpdump and Falco only require cap_net_raw and/or ebpf. These tools are not able to cause a kernel panic, and they don’t have full access to the kernel.

    • remotelove@lemmy.ca
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      4 months ago

      It goes beyond Windows in this case. All the EDR tools I have worked with generally require kernel extensions for macOS and also Linux. Carbon Black and Apple never played nice together and it always took a week or so for Carbon Black to get an update after Apple did a kernel change. (Apple wouldn’t pre-release a kernel map for third-party vendors, I think.)

      Tcpdump and Falco in your example are detection/read-only. Response tools like CrowdStrike or Carbon Black are also response tools that need to block actions across the entire system.

      I am not sure about CrowdStrike’s functionality in this regard, but I used Cabon Black’s response shell quite a bit which gives a responder ring 0 without needing root credentials.

      There is still a case to be made about security tools not needing kernel drivers I believe. I am not smart enough to do that though.