I've posed that question to host agent-based forensics vendors, with similar "magic" being touted as how they can still be trusted to return untainted data in the face of malicious kernel, or hardware, instrumentation.
g On Thu, 14 May 2015 10:11:11 -0400 William Arbaugh <[email protected]> wrote: > On May 14, 2015 at 9:28:43 AM, Anton Chuvakin ([email protected]) > wrote: On Mon, May 11, 2015 at 12:20 PM, Dave Aitel > <[email protected]> wrote: > > And I don't know any modern HIDS company willing to offer a solution > that they would claim is resilient against an attacker who already > has access to the platform and can prepare counter-measures. This is, > as the NSA might put it, a "somewhat challenging problem to attack". > > > You know, this question bugged me all the time while I was > researching what we now call "the EDR space." How can those agents > co-exist with "advanced" attacker on the same endpoint and still > deliver useful telemetry? It turned out that SOME of the vendors > have in fact thought about it long and hard, and the list of tricks > they use to keep reporting from the owned endpoint is long indeed. > On the other hand, sad hilarity ensues when some formerly IT ops > focused endpoint agents are repurposed for "APT IR".... > > Exactly - one of the big EDR vendors told me their product was a > “rootkit” at RSA 2014. > -- _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
