←back to thread

CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)
158 points kenjackson | 3 comments | 22 Jul 24 02:22 UTC | HN request time: 0.001s | source
Show context
yftsui ◴[22 Jul 24 07:28 UTC] No.41031745[source]
Not surprising at all. My work issued MacBook top CPU time has been always `com.crowdstrike.falcon.Agent`, before Apple M1 released my Intel 2019 MacBook Pro can barely do any everyday task with that Agent running in the background. It crashed video calls, crashed the entire OS, I couldn't even smoothly type in an IDE back then.
replies(2): >>41032329 #>>41033434 #
fernandotakai ◴[22 Jul 24 09:16 UTC] No.41032329[source]
yup. i worked at a company that used crowdstrike's falcon agent and it was an incredible cpu hog.

nowadays i work at a place that uses a different solution and guess what: it's also a f-ing cpu (and i/o) hog -- it makes my m1 pro macbook slow to a crawl and there's no way to disable it.

replies(1): >>41032556 #
em500 ◴[22 Jul 24 09:52 UTC] No.41032556[source]
Part of Windows' bad reputation (for instability and poor performance) is likely due to Windows being the standard on corporate computers (outside of tech companies) where admins/management insist on installing tons of "enterprise solutions" that slow quad core PCs with lightning fast SSDs to a crawl. MacOS has the same problem as soon as they're deployed in large corporations. I had a company issued MacBook where a bad printer driver cut the battery life in half for a month or so.
replies(3): >>41032978 #>>41033329 #>>41033490 #
acdha ◴[22 Jul 24 11:46 UTC] No.41033329[source]
> MacOS has the same problem as soon as they're deployed in large corporations.

Except where Apple does not allow vendors loose in key places like the kernel. One of the interesting questions here is whether Microsoft could possibly do that: Windows users would be better if the kernel was restricted to first-party code, things like AV used the same kind of interface which macOS has, and third-party code was forced into more moderated channels (malware uses many of the same techniques) – but there’s a security industry with revenue measured in tens of billions of dollars annually who would be running to the regulators if there was anything which could remotely be seen as favoring Defender over their products. I still think it’d be possible but hard enough that I’m not surprised they’ve slowly been letting awareness of the downsides build, especially on the enterprise IT side.

I was wondering whether this debacle might push them to have a roadmap for restricting kernel drivers in favor of the Windows eBPF implementation which has been approaching production grade. Sometimes you need a huge blowup to remove support for the status quo.

replies(2): >>41033770 #>>41034794 #
1. nikcub ◴[22 Jul 24 12:47 UTC] No.41033770[source]
Technically, they could do it - I believe Microsoft tried in the distant past. Problem is as soon as they restrict ring 0 to first-party only it would raise competition and antitrust issues and be seen as Microsoft favoring it's own solution and locking out third parties.
replies(2): >>41033871 #>>41038894 #
2. mrkstu ◴[22 Jul 24 13:02 UTC] No.41033871[source]
Not if MS’s equivalent also used the new system.
3. acdha ◴[22 Jul 24 19:38 UTC] No.41038894[source]
I definitely think it would be critical that Defender launches on day one using only the new APIs.