this post was submitted on 20 Jul 2024
159 points (98.8% liked)
Asklemmy
44631 readers
919 users here now
A loosely moderated place to ask open-ended questions
Search asklemmy ๐
If your post meets the following criteria, it's welcome here!
- Open-ended question
- Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
- Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
- Not ad nauseam inducing: please make sure it is a question that would be new to most members
- An actual topic of discussion
Looking for support?
Looking for a community?
- Lemmyverse: community search
- sub.rehab: maps old subreddits to fediverse options, marks official as such
- [email protected]: a community for finding communities
~Icon~ ~by~ ~@Double_[email protected]~
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It goes beyond Windows in this case. All the EDR tools I have worked with generally require kernel extensions for macOS and also Linux. Carbon Black and Apple never played nice together and it always took a week or so for Carbon Black to get an update after Apple did a kernel change. (Apple wouldn't pre-release a kernel map for third-party vendors, I think.)
Tcpdump and Falco in your example are detection/read-only. Response tools like CrowdStrike or Carbon Black are also response tools that need to block actions across the entire system.
I am not sure about CrowdStrike's functionality in this regard, but I used Cabon Black's response shell quite a bit which gives a responder ring 0 without needing root credentials.
There is still a case to be made about security tools not needing kernel drivers I believe. I am not smart enough to do that though.