[weinzierl]

"that all inputs are absolutely trusted"

This is something funny to say when the inputs contain malware signatures, which are essentially determined by the malware itself.

I mean, how hard would it be to craft a malware that has the same signature as an important system file? Preferably one that doesn't cause immediate havoc when quarantined, just a BSOD after reboot, so it slips through QA.

Even if the signature is not completely predictable, the bad guys can try as often as they want and there would not even be way to detect these attempts.

[lmm]

> malware signatures, which are essentially determined by the malware itself.

No they're not. The tool vendor decides the signature, they pick something characteristic that the malware has and other things don't, that's the whole point.

> how hard would it be to craft a malware that has the same signature as an important system file?

Completely impossible, unless you mean, like, bribe one of the employees to put the signature of a system file instead of your malware or something.

[weinzierl]

The tool vendor decides the signature

Sure, but they do it following a certain process. It's not that CrowdStrike employees get paid to be extra creative in their job, so you likely could predict what they choose to include in the signature.

In addition to that, you have no pressure to get it right the first time. You can try as often as you want and analyzing the updated signatures you even get some feedback about your attempts.

[lmm]

> Sure, but they do it following a certain process.

Which is going to include checking that it doesn't match any OS files.

> You can try as often as you want and analyzing the updated signatures you even get some feedback about your attempts.

As others said, probably only if you can reverse a hash function.