Hacker News new | ask | show | jobs
by wkat4242 700 days ago
It's more nuanced than that. They have to provide the same APIs to third party security vendors that they use themselves.

They can come up with something more shielded as Apple has done, they just have to eat their own dog food and can't make an exception for defender. That's all.

Blaming the EU here is pure spin.
2 comments
dathinab 700 days ago
yes (it's a spin) also e.g. on Linux Falcon could have conceptual created the same kind of driver as for windows but opted to use eBPF

for a lot of things on Windows there isn't anything like eBPF (yet, it's wip, but likely will still take quite a while until it's usable)

the EU spin would only work if CrowdStrict is fully incompetent like a lot of people want you to believe. I.e. they don't do any testing, don't do any config validation and doesn't know what they are doing at all

but that simply isn't true at all

This doesn't mean that they didn't act negligent, as far as we can tell they relied on some data format validation instead by their server + signing (or something similar) instead of _also_ having robust parsing and that is enough against best practices to be called negligent. And there were other points which bubbled up in the last week which point to other negligent behavior unrelated to the bug. But company ending up with some negligent behavior and them being fully incompetent are very far away, let's be honest most IT companies today have ended up with some negligent behavior they have lite direct/short term/fast feedback motivation to fix (hence it doesn't happen)

link
TillE 700 days ago
And Microsoft doesn't even offer the option of userspace anti-malware hooks, which they could easily do in conjunction with the kernel stuff. I think all they have is AMSI, which is only for scanning PowerShell scripts and such.

If you want to hook process execution or file access, you're writing a kernel driver.

link
wkat4242 700 days ago
Yes indeed. But the point they keep making is that the agreement with the EU somehow stopped them from doing this. Which is BS.

They could easily have added a userspace API if they wanted to. It could have existed side by side with the kernel option, as long as they keep using that for Defender too. Only once they stop using kernel access in their own security products can they force the other vendors to use a new API, which makes sense. Otherwise they'd use it as a sales bullet point ("Our product has full system access, others don't"). Which would destroy the antimalware market. The US benefits from this too.

link