this post was submitted on 26 Jul 2024
320 points (98.8% liked)

Linux Gaming

15905 readers
47 users here now

Gaming on the GNU/Linux operating system.

Recommended news sources:

Related chat:

Related Communities:

Please be nice to other members. Anyone not being nice will be banned. Keep it fun, respectful and just be awesome to each other.

founded 4 years ago
MODERATORS
 

CrowdStrike’s Falcon software uses a special driver that allows it to run at a lower level than most apps so it can detect threats across a Windows system. Microsoft tried to restrict third parties from accessing the kernel in Windows Vista in 2006 but was met with pushback from cybersecurity vendors and EU regulators. However, Apple was able to lock down its macOS operating system in 2020 so that developers could no longer get access to the kernel.

Now, it looks like Microsoft wants to reopen the conversations around restricting kernel-level access inside Windows.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 4 points 4 months ago (1 children)

Why not have a structure in place that has Microsoft review/test code from third parties. At the end of the day it is Microsoft that took the public hit so they should be the last line of defence in this process.

Those that wish to have their code sit at the privileged/kernel level should either pay up or supply Microsoft with resources to do the tests Microsoft would require.

What shouldn't happen is third parties doing their work at a privileged level without the oversight.

[–] [email protected] 7 points 4 months ago (1 children)

@dueuwuje @mudle

If I understand it correctly, it already has been (at least formally) reviewed by microsoft before signing and allowing that signed code run kernel-mode. But the crowdstrike's driver module was not just running malware scanner on itself, it was interpreting what is basically unsigned code that was easier and faster to update. This unsigned files were the ones containing faulty update.

At least that what I understand from https://www.youtube.com/watch?v=wAzEJxOo1ts , it may not be entirely correct or I may have misunderstood.

But if it is true, it may be more sensible to make an API so software with specific permissions could access information needed to effectively function as antivirus, without being run in kernel mode.

[–] [email protected] 2 points 4 months ago

But if it is true, it may be more sensible to make an API so software with specific permissions could access information needed to effectively function as antivirus, without being run in kernel mode.

I've come to this conclusion as well. I believe Apple has similar functionality with their "kernel-extensions", I believe it's called.