Neither. The problem is with CrowdStrike and the EU antitrust accusations against Windows. Microsoft attempted to introduce an API to prevent such issues, but the regulatory hurdles faced from the European Union, which deemed it anticompetitive, cause Microsoft to back off.
I don't have an answer but I found some interesting related items while looking into this.
My guess from the bolded sentence is that you might not be able to simply “look” and see what things are running in ring 0.
it's difficult for a security monitor to be effective without fairly privileged access. So always going to be a point of concern.
I got curious and had a look at a folder named like the one referenced in your registry to see what's in it, if it had a .sys file:The other interesting thing I found was when I poked around in Sysinternals Autoruns.
Based in this, it seems like Windows Defender might be structured in such a way where each definition update is itself a driver. This is in contrast to Crowdstrike Falcon where their “driver” that is running in ring 0 reads in its update files.
I don't intend that to be a direct comparison between the two since...as we've all come to know...Crowdstrike's product isn't really the same as a “definition-based” antimalware product. I just found this discovery about Defender interesting and possibly something to look for with third party “traditional” antimalware products.
maybe this: https://support.microsoft.com/en-us...-windows-97fbc472-c603-9d90-91d0-1166d1d9f4b5I got curious and had a look at a folder named like the one referenced in your registry to see what's in it, if it had a .sys file:The other interesting thing I found was when I poked around in Sysinternals Autoruns.
Based in this, it seems like Windows Defender might be structured in such a way where each definition update is itself a driver. This is in contrast to Crowdstrike Falcon where their “driver” that is running in ring 0 reads in its update files.
I don't intend that to be a direct comparison between the two since...as we've all come to know...Crowdstrike's product isn't really the same as a “definition-based” antimalware product. I just found this discovery about Defender interesting and possibly something to look for with third party “traditional” antimalware products.
Apparently not.
What this all means, if anything, I'm afraid I have no idea. Anyone?
I automatically turn on hidden files as part of initial Windows setup. I see .sys files elsewhere just fine.maybe this: https://support.microsoft.com/en-us...-windows-97fbc472-c603-9d90-91d0-1166d1d9f4b5I got curious and had a look at a folder named like the one referenced in your registry to see what's in it, if it had a .sys file:The other interesting thing I found was when I poked around in Sysinternals Autoruns.
Based in this, it seems like Windows Defender might be structured in such a way where each definition update is itself a driver. This is in contrast to Crowdstrike Falcon where their “driver” that is running in ring 0 reads in its update files.
I don't intend that to be a direct comparison between the two since...as we've all come to know...Crowdstrike's product isn't really the same as a “definition-based” antimalware product. I just found this discovery about Defender interesting and possibly something to look for with third party “traditional” antimalware products.
Apparently not.
What this all means, if anything, I'm afraid I have no idea. Anyone?
I follow the channel and respect the owner. His analysis is helpful. But, his statements don't always align with the statements of CrowdStrike. He claims it was a null file. Crowdstrike says it was a logic flaw. There's no advantage for CS to claim a logic flaw if it really was nulled file.
Be careful when blaming the victim. Where I work, we don't automatically install the latest file from CrowdStrike. We use n-1 for some machines and n-2 for others. We (people smarter than me) planned for this exact situation. We still got hit, hard.
FWIW I went and actually checked the location Autoruns told me in File Explorer. I do indeed see the reported .sys file.
I have no idea what's happening, but I'll investigate further tomorrow.
All fair questions. Where I work, we don't install the latest file. Depending on the system, it's n-1 or n-2. We do this to protect against the exact scenario that happened last week, yet we got hit very hard. We weren't the only ones.
Translation to English, they don't do Puppyfood testing after all, but will be going forward...
Suggestion, no disrespect, do your own testing. On all products, not just CS. Create a mock "Dev" environment, think an island, that represents your enterprise at a small scale, and use it for testing.
No.
I think it is an obvious given that the cause is way complicated at the programing level and yet, from all the detailed posting on this event, it was and is a lack of due diligence that allowed this to happen. The most summary statement from the aristech article is, "In addition to this preliminary incident report, CrowdStrike says it will release "the full Root Cause Analysis" once it has finished investigating the issue."
