[lanstin]

This article seems to be an example of how some common security practices are kind of surface level. If you want to limit what a box can access on the network, do it in the network. Why is security looking for bad urls in the argv; if you know they are bad just block them? Or better yet if they aren't good, don't allow them. And if you want to know what a process is doing, ask the kernel to log its syscalls. If you take away argv 0 you will lose some valuable stuff (cute little busybox links, error logs that have argv[0] in them, and attackers will just name payload.exe ls.exe. And if your network is allow all, they will still reach CNC or collector end point.

[dividuum]

Seriously: Their reason is basically "argv[0] is bad because security snake oil software is garbage":

1) Oh no, the only protection is looking at argv[0]. What kind of clown software is that? Software that notably runs on an already compromised system..

2) No need for argv[0] to fool software that concats argv values with spaces: just run 'curl -o "test.txt |grep" 1.1.1.1'

3) A long argument messes up telemetry? Let's hope that bucket doesn't have more holes.

[shermantanktop]

These are all very realistic examples. Should they happen? No, but reality is messy and imperfect. The crappy software you describe would not exist if there were great solutions in this space.

[Hizonner]

There are better solutions than that. Off the top of my head, on Linux, you could get what the article is asking for by doing a readlink on /proc/self/exe.

The crappy software exists because the people who write it don't have any idea what they're doing. And the reason for that is that the people who found companies in the security space have discovered that nobody can tell whether their products really work or not, so they can save money on talent and training.

[marcosdumay]

Yes, they are realistic. No you shouldn't change your system to satisfy clown development dynamics.

And just as a warning, if you insist on doing so, the rules will get ever more complicated. Expect to not be able to achieve anything at all very soon.

[shermantanktop]

If Crowdstrike is an example, then that's not true. Instead, success is not gated by rule quality, and you can get to global scale without a signal as to whether your rules are actually good or effective. And then someone publishes a new template and boom, Delta grounds their planes for days.