←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 1 comments | 22 Jul 24 02:22 UTC | HN request time: 0.237s | source
Show context
red_admiral ◴[22 Jul 24 08:15 UTC] No.41031943[source]
In princple, yes, if you have third-party Ring 0 kernel-mode drivers, they could crash a POSIX system as well as a windows one.

But that doesn't seem to be what happened here.

Random idea that I haven't fully thought through: continue to run the kernel at Ring 0 and userland at Ring 3, but move "tools" like this to Ring 1.

replies(2): >>41032087 #>>41032193 #
1. ahazred8ta ◴[22 Jul 24 08:56 UTC] No.41032193[source]
Windows has an official ELAM Early Launch AntiMalware framework, which Crowdstrike complies with. The Crowdstrike driver is right where it's supposed to be, according to Microsoft.