[zozbot234]

If you run a properly designed operating system your anti-malware will not need ring-0 access. See mac OS which has now deprecated kexts altogether and will only load them if you explicitly turn off system integrity settings.

[the8472]

I don't think this follows. Those vendors are third parties and reach for whatever they can get. Yes, if microsoft didn't allow kernel extensions then crowdstrike would run as SYSTEM in userspace, but that doesn't tell use whether they need it or not, it only tells us that they want it.

Based on other comments it can run as kernel module or as eBPF filters on linux. So I guess to them it's a less invasive/more power tradeoff which they'll take whenever it's available.

[immibis]

Mac OS only doesn't need driver loading because they know exactly which hardware it runs on and link those drivers into the kernel. This is not applicable to Windows systems.

[teeheelol]

Windows has DTrace and eBPF available. They chose not to use it.

[DougN7]

I’m wondering if a bar DTrace or eBPF expression/filter could cause a blue screen. I’ll bet it could be done.

[DougN7]

Got my answer from the (currently top) answer here:

https://news.ycombinator.com/item?id=41030352

eBPF can cause Linux kernel panic

[fragmede]

eBPF:

> The program does not crash or otherwise harm the system.

https://ebpf.io/what-is-ebpf/#verification

[DougN7]

That’s a pretty big claim. If they have software that can guarantee a program will never crash it would be revolutionary, and could probably solve the halting problem.