[salmo]

It’s also part of Windows hardening standards that are then pulled into compliance frameworks.

My company installs at least 3 antimalware/security management products that cripple, I mean, protect endpoint systems. 2 vendors. None of them are integrated with each other. So files and executables are all scanned 3x. Git runs abysmally slow because of all the processes involved and tiny files.

One of the reasons I run the paperwork gauntlet to run a Mac. Windows is crippled, Linux is banned on endpoints, so Mac it is. I have to run 1 AV, but it doesn’t do a lot. And I love apple kicking everyone out of the kernel over time (except VirtualBox, that’s annoying).

Luckily it’s mostly an application-level concern on Linux. Scanning files and such on file-servers, mail gateways, etc. ultimately protecting windows systems w/ normal user processes not all up in my kernel, and on limited systems. It actually kinda makes sense.

Now, commercial IDS/IPS, I don’t even want to know how those are architected. I haven’t touched an OSS one (Snort) in years.

If I won the lottery, it would be kind of fun to just sit and find horrific exploits in these things.

[sebazzz]

You must work where I work. Symantec Endpoint Protection (of course set to scan at any access), CarbonBlack, Avecto, etc etc etc. And because the people complain about it they install stuff like Nexthink to diagnose performance issues.

Eventually you end with a system that has so much latency on every I/O operation and over 60 ETW traces running you can't even run or finish a WPR trace.

[salmo]

LOL. Different batch of software.

I think this experience is called “enterprise.”

MS really shot themselves in the foot adding the ability for stuff to insert itself into I/O that easily.