@HalvarFlake Basically everyone except Microsoft Defender does AFIK. With KPP preventing SSDT hooking, you're basically limited to kernel callbacks, filter drivers, and ETW. Only real viable way left to get good telemetry is user mode hooking
@malwaretech
This just feels like an argument that we should demand that our OS vendors build proper EDR tooling, because it can't be done correctly by anyone else. @HalvarFlake
And while I agree with Halvar that in a perfect world we have introspection APIs... I'd also hope that in a perfect world, endpoint security would matter a lot less.
Add comment