• Yaztromo@lemmy.world
    link
    fedilink
    English
    arrow-up
    9
    ·
    4 months ago

    …until the CrowdStrike agent updated, and you wind up dead in the water again.

    The whole point of CrowdStrike is to be able to detect and prevent security vulnerabilities, including zero-days. As such, they can release updates multiple times per day. Rebooting in a known-safe state is great, but unless you follow that up with disabling the agent from redownloading the sensor configuration update again, you’re just going to wing up in a BSOD loop.

    A better architectural solution like would have been to have Windows drivers run in Ring 1, giving the kernel the ability to isolate those that are misbehaving. But that risks a small decrease in performance, and Microsoft didn’t want that, so we’re stuck with a Ring 0/Ring 3 only architecture in Windows that can cause issues like this.

    • nous@programming.dev
      link
      fedilink
      English
      arrow-up
      3
      ·
      4 months ago

      That assums the file is not stored on a writable section of the filesystem and treated as application data and thus wouldn’t survive a rollback. Which it likey would.