HalvarFlake, 5 months ago

@malwaretech wait. EDRs using Usermode hooks are still a thing? I thought Usermode hooks went out of style in 2002?

malwaretech, 5 months ago

@HalvarFlake They did, but EDRs didn't get the memo

HalvarFlake, 5 months ago

@malwaretech can you name and shame? 🙂

Crowdstrike wouldn't, would they?

dave_aitel, 5 months ago

@HalvarFlake @malwaretech they basically have to do user space because of how exciting Microsoft is about locking them out of the kernel is what I hear

malwaretech, 5 months ago

@HalvarFlake Basically everyone except Microsoft Defender does AFIK. With KPP preventing SSDT hooking, you're basically limited to kernel callbacks, filter drivers, and ETW. Only real viable way left to get good telemetry is user mode hooking

dymaxion, 5 months ago

@malwaretech
This just feels like an argument that we should demand that our OS vendors build proper EDR tooling, because it can't be done correctly by anyone else.
@HalvarFlake

malwaretech, 5 months ago

@dymaxion @HalvarFlake They tried that back when SSDT hooks were removed and Microsoft response was basically fart noises

dymaxion, 5 months ago

@malwaretech
Oh, I'm not saying they've done it — that's why it unfortunately is a demand. If we lived in a more perfect universe etc etc
@HalvarFlake

chort, 5 months ago

deleted_by_author

ljrk, 5 months ago

@chort @malwaretech @dymaxion @HalvarFlake Additionally, their EDR, I mean XDR, solution is incredibly slow to react to alerts or even display them.

And while I agree with Halvar that in a perfect world we have introspection APIs... I'd also hope that in a perfect world, endpoint security would matter a lot less.