This fellow is a retired MS engineer who gives a seemingly good rundown of technical details behind the Crowdstrike BSODs. Apparently Crowdstrike uses a MS signed kernel driver that was not directly updated itself. Instead it was fed a corrupted virus definition file, which resulted in a BSOD (aka kernel panic.)
Towards the end he mentions that MS did try to move security functionality to user mode, but it was blocked by EU regulators as ‘anti-competitive.’ Can anyone else verify this? It sounds like a very strange decision if true.
3 Likes
Everyone: Hey Microsoft, is this your fault?
Microsoft: Look over there a llama!
I feel that its somewhat of a mischaracterisation.
- the agreement was more about stopping Microsoft from enforcing the use of internet explorer and edge if you want to read about it from source documents have a look at the EU documentation.
- The problem in the security space lies in how Microsoft would be the only security provider to have access to the kernel and no one else. This would give Microsoft a monopoly over having the ability to detect security events and respond to them compared with other EDR and AV tools.
The opposite is true with iOS for example where developers were/are forced to use safari’s webkit as a backend to their own browser (for example Chrome and Firefox).
References:
2 Likes