CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

Not surprising at all. My work issued MacBook top CPU time has been always `com.crowdstrike.falcon.Agent`, before Apple M1 released my Intel 2019 MacBook Pro can barely do any everyday task with that Agent running in the background. It crashed video calls, crashed the entire OS, I couldn't even smoothly type in an IDE back then.

yup. i worked at a company that used crowdstrike's falcon agent and it was an incredible cpu hog.

nowadays i work at a place that uses a different solution and guess what: it's also a f-ing cpu (and i/o) hog -- it makes my m1 pro macbook slow to a crawl and there's no way to disable it.

Part of Windows' bad reputation (for instability and poor performance) is likely due to Windows being the standard on corporate computers (outside of tech companies) where admins/management insist on installing tons of "enterprise solutions" that slow quad core PCs with lightning fast SSDs to a crawl. MacOS has the same problem as soon as they're deployed in large corporations. I had a company issued MacBook where a bad printer driver cut the battery life in half for a month or so.

totally. i have a macbook air m2 and it performs better than my work m1 pro because of the bloatware.

my zsh config spawns in ~90ms on my macbook air m2 while it takes 600ms in the m1 pro.

> MacOS has the same problem as soon as they're deployed in large corporations.

Except where Apple does not allow vendors loose in key places like the kernel. One of the interesting questions here is whether Microsoft could possibly do that: Windows users would be better if the kernel was restricted to first-party code, things like AV used the same kind of interface which macOS has, and third-party code was forced into more moderated channels (malware uses many of the same techniques) – but there’s a security industry with revenue measured in tens of billions of dollars annually who would be running to the regulators if there was anything which could remotely be seen as favoring Defender over their products. I still think it’d be possible but hard enough that I’m not surprised they’ve slowly been letting awareness of the downsides build, especially on the enterprise IT side.

I was wondering whether this debacle might push them to have a roadmap for restricting kernel drivers in favor of the Windows eBPF implementation which has been approaching production grade. Sometimes you need a huge blowup to remove support for the status quo.

This is not something Crowdstrike specific, my company uses SentinelOne and it is also as intrusive and CPU intensive - basically makes development work on intel mac almost impossible.

I hate all the EDR nonsense on laptops. I wonder if the added cost for lost workhours and electricity wouldn't be more than the tiny chance of catching a malware.

Quadcore? More like 12 core corei7-1365U. Its literally just a function of time (aka forced silent updates from admins) till it becomes slow like early 2000s desktops running modern software. Same for HDD.

Once I got new laptop due to some internal migration, it was blazingly fast. Well, not so much anymore. I literally don't install anything on it since receiving it, I simply can't (unless its just about copying to c: and it runs). Some colleagues have stuff like windows firewall running constantly on 50% cpu, nothing admins can fix apart from replacing ntb.

Technically, they could do it - I believe Microsoft tried in the distant past. Problem is as soon as they restrict ring 0 to first-party only it would raise competition and antitrust issues and be seen as Microsoft favoring it's own solution and locking out third parties.

Not if MS’s equivalent also used the new system.

> I was wondering whether this debacle might push them to have a roadmap for restricting kernel drivers in favor of the Windows eBPF implementation which has been approaching production grade.

Though as this article and its Red Hat respondents admit eBPF isn't a perfect solution either because it is still a somewhat Turing Complete scripting language and bad vendors will find ways to get kernel panics out of eBPF scripts no matter how hardened the eBPF driver gets.

Microsoft is probably in a good position to use this debacle to push more vendors to Windows' implementation of eBPF. It doesn't solve the crisis that a vendor like CrowdStrike exists that is "beloved" by Enterprise Solution Architects for all the compliance boxes it checks, but is run as a terrible software company with bad standards and has multiple "accidents" in recent weeks.

My PowerShell startup time on my work laptop is around 4000ms. Corporate IT ruins everything.

I definitely think it would be critical that Defender launches on day one using only the new APIs.

Yeah, I’m not saying eBPF is perfect but it’s getting better and has a path to making things much safer. I’d compare that to where things were with memory safety 20 years ago where it seemed unlikely that anything could displace C/C++ but by now we’re seeing a lot of important things written in memory safe languages. For a company with Microsoft’s resources, I’d imagine they could do quite a lot if 10% of the CEO’s bonus was instead invested in making their customers safer.