• yeehaw
    link
    fedilink
    arrow-up
    1
    ·
    4 months ago

    I see. How effective is a security tool that can’t stop malicious software that makes itself in ring 0?

    • Yaztromo@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      4 months ago

      You don’t have to run in Ring 0 to detect events occurring in Ring 0.

      Besides which, as kexts are being obsoleted by Apple getting code to run inside Ring 0 in macOS that isn’t from Apple itself is going to be extremely difficult.

      • yeehaw
        link
        fedilink
        arrow-up
        1
        ·
        4 months ago

        Right, but part of the appeal of tools like crowd strike and sentinelone is that they can stop them when they’re in ring 0. And rollback changes. Etc.