undefined | Better HN

0 pointsnotepad0x901y ago0 comments

they need to be processed in kernel mode where the monitoring happens, user mode EDRs are trivial to bypass. they have to be processed by whatever is going to use them, and in this case it is the "lightweight" sensor code in kernel mode.

0 comments

acdha1y ago

They need to load data into the kernel eventually but that doesn’t mean that the first time the file is parsed should be in the kernel. For example, on Linux they don’t have this problem because they use the eBPF subsystem and so what’s running in the kernel is validated byte code. Even if they didn’t want to do something that sophisticated they could simply include a validator into the update process, as has been common since the 1980s.

j / k navigate · click thread line to collapse

0 comments

acdha1y ago

j / k navigate · click thread line to collapse