[atgreen]

Don't disagree, but there are eBPF mitigations that work as alternatives to unloading kernel modules.

[cassianoleal]

Can you elaborate on that?

[atgreen]

Have a look at https://github.com/atgreen/rhel-block-copyfail

[JeremyNT]

I was aware of commercial antivirus vendors (Crowdstrike) doing something like this, but this is the first I've seen it published by somebody in the open!

Have you considered writing up a blog post and submitting this to HN?

[cassianoleal]

Thanks!

From the sound of it, the same mitigations for Copy Fail 1 are also effective here.

[atgreen]

No, they are different. I just bundled them together for convenience in this POC. The only real thing in common is that they both use eBPF.

[cassianoleal]

Got it, thanks!