CrowdStrike's Falcon Sensor also linked to Linux kernel panics and crashes

(www.theregister.com)

158 points kenjackson | 1 comments | 22 Jul 24 02:22 UTC | HN request time: 0.212s | source

Show context

ExoticPearTree ◴[22 Jul 24 08:24 UTC] No.41031994[source]▶

People drink the kool-aid and believe that Linux needs antivirus. So many vendors tried and failed at scaring people into buying Linux antivirus that I've lost track over the years.

My perspective is that it is a very very poor idea to have an anti-malware solution running on a Linux system. CrowdStrike is very persistent in their sales pitches and do FUD campaigns better than the competition to convinse people with decision making authority that Linux and Containers and what needs an antivirus.

replies(3): >>41032656 #>>41033791 #>>41036614 #

nikcub ◴[22 Jul 24 12:50 UTC] No.41033791[source]▶

>>41031994 #

Recently helped somebody who accidentally left dockerd open to the internet with no auth. It was hacked, backdoored and running a crypto miner within hours. Only detected when the hosting company emailed him days later because the worm was further scanning other hosts from his machine.

How would you stop, detect and/or remove this threat from this machine on a linux server without antivirus / EDR?

replies(2): >>41034022 #>>41034786 #

1. ExoticPearTree ◴[22 Jul 24 13:17 UTC] No.41034022[source]▶

>>41033791 #

You have metrics from the server which tell you that you're running 100% CPU for a period of time. If the crypto miner wasn't something very dumb, it would not be detected. And I can scan a network using nmap with an XML or grepable output format options.

CrowdStrike doesn't remove threats. It would stop the process and quarantine the file. It requires knowledge on how to actually remove the threat beyond the quarantined file.

↑