CrowdStrike Proves Why kernel-Level Anti-Cheat is a BAD Idea

preview_player
Показать описание
What the CrowdStrike incident tells us about installing things into your kernel.

Sources (some didn't make it into the video):

  1. ProtonPenguin
Рекомендации по теме
CrowdStrike Proves Why 0:15:42

CrowdStrike Proves Why kernel-Level Anti-Cheat is a BAD Idea

Anti-Cheat is a 0:08:57

Anti-Cheat is a Disaster Waiting to Happen

How to Enable 0:02:50

How to Enable Kernel Exploit Prevention

A Silver Lining 0:08:02

A Silver Lining After The CrowdStrike Incident

Crowdstrike Falcon takes 0:08:19

Crowdstrike Falcon takes down EVERYTHING

NEVER buy from 0:00:46

NEVER buy from the Dark Web.. #shorts

PirateSoftware WINS Best 0:01:57

PirateSoftware WINS Best Software and Game Development Streamer award

Is Riot Vanguard 0:15:11

Is Riot Vanguard Spyware?

Kernel Driver Vulnerabilities 0:07:12

Kernel Driver Vulnerabilities | AT&T ThreatTraq

CrowdStruck - Crowdstrike, 2:27:06

CrowdStruck - Crowdstrike, Cellebrite, More Entrust

Intel Findings, CrowdStrike 2:16:06

Intel Findings, CrowdStrike Strike, ROG Ally X Reviews & More | The Full Nerd ep. 310

BG - Invasive 0:48:48

BG - Invasive Roots of Anti-Cheat Software - Alissa Torres

No Code Execution? 0:50:11

No Code Execution? No Problem! - Living The Age of Virtualization-Based Security - Connor McGarr

Inside the global 1:16:06

Inside the global computer crash | The Vergecast

New Android Strandhogg 0:28:35

New Android Strandhogg 2.0 security vulnerabilities! This weeks IT news & bugs summary!

CrowdStruck 1:32:13

CrowdStruck

Source Zero Con: 0:39:21

Source Zero Con: Remaining Invisible in the Age of EDR

How to check 0:02:56

How to check application logs in Windows 10 [Event Viewer] | Unlimited Solutions

Visiting The Bear 0:59:03

Visiting The Bear Den (33c3)

2 03 Defeating 0:48:25

2 03 Defeating Next Gen AV and EDR Using Old And New Tricks on New Dogs Nick Lehman Graph X Steve Ei

Bypassing Antivirus: With 0:59:56

Bypassing Antivirus: With Understanding Comes Ease | Jeff McJunkin | WWHF Deadwood 2020 Virtual

REcon 2014 Apple 0:58:38

REcon 2014 Apple SMC The place to be definitely For an implant (Alex Ionescu)

SANS Webcast: Pen 1:02:08

SANS Webcast: Pen Testing with PowerShell - Local Privilege Escalation Techniques

BSides DC 2019 0:44:55

BSides DC 2019 - Malware Behavior Catalog

Комментарии
Автор

Kernel Level Anti-Cheat was abused by Ransomware already, Genshin-Imapcts Anti-Cheat driver was infected and was spread to other PC systems, it happened 2 years ago
Edit: ok i wrote this when he said that kernel level anti cheat wasnt broken yet but at the end he mentions the genshin impact ransomware issue

thalzamar
Автор

At 11:50 like VPN's are saying "Trust me bro, no log!" Riiiight.... lmao My first thought the morning I heard about CrowdStrike's kernel level patch, is if malicious actors hack their servers (and others), they could spread their code onto millions of high value targets. smh

BillAnt
Автор

given that it's a security module, if you allow it to be bypassed by crashing it, that makes it somewhat simple imo for hackers to disable it and work around it. The degraded mode would introduce the same problems because you cannot allow unsecured machines to access the network and that is their primary purpose these days.
IMO the biggest issue is hospitals, airlines and essential services being this reliant on computers and having no failsafe of their own.

SXZ-dev
Автор

Thanks for raising this topic up. Never playing Anticheat games. Don't see why Linux bent the knee to anticheat either, but muh freedom I guess.

bobmcbob
Автор

BTW i some time ago have argument on one discord where admin used argument "every kernel driver is signed by ms and tested" so i told him about crowdstrike but he propably dont understand what is engine and what is just a driver in kernel.
Vanguard, esea, eac are also engines when log communication beetwen pc and servers u can find modules sent to kernel ac.
AND BTW after patch 24h2 for windows every pc with new windows install is going to have bitlocker bs enabled

KS-eprx
Автор

"crowdstrike was an antivirus of sorts, so It had to run via kernal" -- I don't remember who said that... sadly...

heckerhecker
Автор

Always with the best takes. Love your videos

alistair
Автор

Gamers: "Kernel-level anti-cheat modules is a BAD idea because..."
Normal people: "Nah that will never happen"
Crowdstrike: "Hold my beer."

Sollace
Автор

Theres one thing tho I can't remember the name of the video or by who but it is on here, but supposedly this update was all 0s as well at least along those lines.. Which yes is a problem.

Matt
Автор

6:55
I really hope no 'Quadruple A' Anti-cheat there T.T

muhammadyusoffjamaluddin
Автор

Holy fuck i had a panic attack a couple days ago when my pc booted slower than it would with an hdd and was getting literally 2 fps. Turns out its because of the crowdstrike thing and because a game i downloaded a game with kernel anticheat the night before

sb-or
Автор

No idea why, but this video in specific keeps freezing when I click on it, and gives me Mobile Game ads. I'm on Brave so this is strange, but it being exclusive (at least so far) to this video is very curious.

bogartwilley
Автор

This video is very misinformed.
Yes, I agree that CS Falcon's DSL parser (the module where the crash originated) should have been running in user mode, but Falcon is not "some junk thats running at kernel level." It's effectively antivirus software and thus it NEEDS to be running at the kernel level to keep both the system and itself safe from threats.
As for anti cheats, I personally do not like that most of them run at kernel level but I acknowledge that they tend to be more effective when running at the kernel level.

Also in regards to the boot looping caused by Falcon, the reason is because the Falcon kernel driver is marked as "boot required, " meaning Windows is not allowed to boot without loading the module (with the exception of safe mode). If it were not marked as boot required, the kernel module would have been automatically disabled on the next reboot. This information is important because you don't want a threat actor to disable your corporate antivirus by causing it crash Windows.
Kernel level game anti cheats currently are not marked as boot required because that would probably cause some insanely bad PR for them and their reputation is probably more fragile than CrowdStrike's.

Zullfix
Автор

I have never played Valorant, and I will never play it!

MaxAsMax
Автор

Ea wrc new update includes kernal anti cheat. So sad

micahtron
Автор

Dude that's not an anti-cheat it's a security system made to protect companies against hackers ofc it can and SHOULD have access to kernel level

MerlinSAM
Автор

All this incident proves is that if you are developing software that runs in ring zero and below you should be held to a higher level of scrutiny and probably even vetted individually by Microsoft or some alliance of companies. Also good luck creating a useful antivirus that doesn't live in the kernel, there is a reason they do it and it is not because the engineers were bored.

lbgstzockt
Автор

Everything Is open source if you know asm

izBrnDD
Автор

You should look into valorant and the data it collects

thehint
Автор

There is no getting around the fact that both antivirus and anticheat need to run in kernel space, otherwise they are completely ineffective. We were always going to end up here in the arms race between malicious software and the software to defeat it.

darrell