It’s a design flaw in windows to require a kernel driver for these kinds of tools.
Similar tools in Linux like tcpdump and Falco only require cap_net_raw and/or ebpf. These tools are not able to cause a kernel panic, and they don’t have full access to the kernel.
It goes beyond Windows in this case. All the EDR tools I have worked with generally require kernel extensions for macOS and also Linux. Carbon Black and Apple never played nice together and it always took a week or so for Carbon Black to get an update after Apple did a kernel change. (Apple wouldn’t pre-release a kernel map for third-party vendors, I think.)
Tcpdump and Falco in your example are detection/read-only. Response tools like CrowdStrike or Carbon Black are also response tools that need to block actions across the entire system.
I am not sure about CrowdStrike’s functionality in this regard, but I used Cabon Black’s response shell quite a bit which gives a responder ring 0 without needing root credentials.
There is still a case to be made about security tools not needing kernel drivers I believe. I am not smart enough to do that though.
It’s a design flaw in windows to require a kernel driver for these kinds of tools.
Similar tools in Linux like tcpdump and Falco only require cap_net_raw and/or ebpf. These tools are not able to cause a kernel panic, and they don’t have full access to the kernel.
It goes beyond Windows in this case. All the EDR tools I have worked with generally require kernel extensions for macOS and also Linux. Carbon Black and Apple never played nice together and it always took a week or so for Carbon Black to get an update after Apple did a kernel change. (Apple wouldn’t pre-release a kernel map for third-party vendors, I think.)
Tcpdump and Falco in your example are detection/read-only. Response tools like CrowdStrike or Carbon Black are also response tools that need to block actions across the entire system.
I am not sure about CrowdStrike’s functionality in this regard, but I used Cabon Black’s response shell quite a bit which gives a responder ring 0 without needing root credentials.
There is still a case to be made about security tools not needing kernel drivers I believe. I am not smart enough to do that though.