[mr_mitm]

It's a design decision. People want the antivirus to protect them even if an attacker exploits a local privilege escalation vulnerability or if an attacker that compromised an admin account (which happens all the time in Windows environments) wants to load malicious software. That's kind of the point of these things. Somebody exploits a memory vulnerability of one of the hundreds of services on a system, the antivirus is supposed to prevent that, and to their benefit, Crowdstrike is very good at this. If it didn't run in the kernel, an attacker with root can deactivate the antivirus. Since it's a kernel module, the attacker needs to load a signed kernel module, which is much harder to achieve.

[jsheard]

Presumably Crowdstrikes driver also has the ELAM flag which guarantees it will be loaded before any other third party drivers, so even if a malicious driver is already installed they have the opportunity to preempt it at boot.

https://learn.microsoft.com/en-us/windows-hardware/drivers/i...

[chrisjj]

> guarantees it will be loaded before any other third party drivers

Point of information. "Guarantee" and "any" are unsubstantiated by that MS article.

[jsheard]

If we are being pedantic then an ELAM driver can't be guaranteed to load before another ELAM driver of course, but only a small list of vetted vendors are able to sign ELAM drivers so it is very unlikely that malware would be able to gain that privilege. That's the whole point.

[chrisjj]

Not pedantic. Just accurate.

> an ELAM driver can't be guaranteed to load before another ELAM driver of course,

Thanks for the correction.