Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How did Microsoft put it on the Windows critical path? (Informational question—I’m not following the issue super closely, but I thought CrowdStrike was a third-party system. Crowdstrike was wrong to put so much code in the kernel. Microsoft was reportedly legally bound to provide this access and allow third-party code to run in the kernel.)


There was an interesting article that these third parties who lobbied to run in the kernel and microsoft acquiesced about 20 years ago which led us down this path. https://web.archive.org/web/20061023112233/http://software.s...


If you dig a little more about what this is talking about, Microsoft did not actually make any kernel related changes.

This was just Symantec and McAffee ranting about PatchGuard and MS did not remove it.


Microsoft added a feature to Windows that allows specially-signed antimalware drivers to be loaded extremely early in the boot sequence and be marked as non-optional. The idea is to give antimalware drivers the opportunity to load first, before anything else has had the chance to start.

Furthermore, if a driver is marked as optional and crashes, Windows can reboot with that optional driver disabled next time, preventing infinite crash/boot loops. Obviously that's no good if your antimalware driver gets disabled, so they can mark theirs as "required." Obviously in the CrowdStrike case, we got the worst of both worlds.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: