Hacker News new | ask | show | jobs
by ctxc 692 days ago
The application (Crowdstrike) was part of Windows' booting process.

Windows cannot simply "skip" failed drivers. Say Crowdstrike driver failed as a one time thing, Windows skipped it instead of retrying which led to the endpoint being vulnerable and a ransomware happens. We'd be saying the opposite now.

This is a high-impact ability Windows offers to applications - and applications should take responsibility and treat it as such.

I spoke to another EDR lead I know - they said they had provisions in place to read the dump if boot crashed, check if it was due to their driver and skip it if it was (and then send telemetry after startup so that it can be fixed, probably). Crowdstrike should have done the same.

One more thing to note is that we cannot say Windows shouldn't provide this ability - that becomes an anti-trust monopoly, because MS themselves are a competitor in this space.
1 comments
mewpmewp2 692 days ago
But then again ransomware would happen like you said if they skipped it? And ransomware sounds even worse.
link
burnished 692 days ago
The difference is that if windows does the skipping then you probably don't find out until its too late, if the application does the skipping there is the opportunity to set up alerting so you can fix whatever went wrong.
link
mewpmewp2 691 days ago
Do you mean that the skip would be manually approved after telemetry is sent and folks on-call paged? Then that sounds like it could be viable and a good idea yes.

But always a chance that the skipping mechanism could break as well. And there must be some form of networking available to able to send that and ask for approval.

link
ctxc 691 days ago
Exactly! On skipping mechanism breaking - I mean, anything could break. Boils down to design and testing like all things.

One change - this approval and telemetry doesn't happen during the boot loading process. It's just logged and skipped.

Once bootup is done, the EDR app auto starts, checks logs for anomalies and sends telemetry over whenever network is available (it usually is, because they update malware signatures etc frequently). Someone at the company gets paged, they fix and the process continues.

link