[gwu78]

Is it true these packets are HTTP requests full of XML, i.e., SOAP? Do they use HTTPS on ports 16994 and 16995?

To avoid a crash, users can mount potentially malicious filesystems in userspace, i.e. users can run kernel drivers like ffs outside of the kernel. This feature comes from a non-Linux kernel. I have read this may be able to work on Linux too but I have never tried it.

[cillian64]

Here is a script which speaks the AMT lingo: https://github.com/wentasah/amtterm/blob/master/amttool

It's clearly using SOAP, and looks like you can choose between HTTPS or HTTP.

[Filligree]

> To avoid a crash, users can mount potentially malicious filesystems in userspace, i.e. users can run kernel drivers like ffs outside of the kernel. This feature comes from a non-Linux kernel. I have read this may be able to work on Linux too but I have never tried it.

Linux has FUSE for this, but...

- A lot of filesystems don't have FUSE drivers. You can't use the same kernel-mode drivers in userspace. In fact, off the top of my head, the only filesystem with both kernel-mode and userspace drivers is ZFS.

- It just reduces the threat, it doesn't eliminate it. There's no guarantee whatsoever that the FUSE kernel-side shim is invulnerable to bad inputs, though hopefully it's been audited. Something that never touches the kernel would still be preferable.