• Yaztromo@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    5 months ago

    You don’t have to run in Ring 0 to detect events occurring in Ring 0.

    Besides which, as kexts are being obsoleted by Apple getting code to run inside Ring 0 in macOS that isn’t from Apple itself is going to be extremely difficult.

    • yeehaw
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      Right, but part of the appeal of tools like crowd strike and sentinelone is that they can stop them when they’re in ring 0. And rollback changes. Etc.