McAfee is a magical product indeed. Not only does it ensure your Intel CPU is always enjoying the benefits of TurboBoost, but it also provides a faithful emulation of a 5400 RPM drive when using tmpfs. Marvelous technology. (And if you have a kernel-level problem, don't worry - the enterprise support you're paying so much for won't answer your calls, because McAffe taints the kernel).
NSA: So we’ve figured out here is the internet-facing box. The web server that they’re using was not patched, wasn’t updated, so I was able to actually use the known exploit to gain the right access to that machine. [MUSIC] Once I did that, I put an implant down on that machine because it was pretty safe. It was actually a Linux server and the nice thing about Linux is no antivirus, right? I’m not super concerned. Especially because it’s a web server, I don’t worry about a user seeing the screen and using it and see something weird going on. But anyway, so I get down on that box, sit there for a little bit. Everything looks pretty good. There’s not much to see; it’s a web server and it’s got a website on it, got a database back end to it. Not a whole lot going on.
A Linux virus that Just Works... I don't see it happening. Maybe if your distro officially supports it otherwise there will be missing libraries or incorrect drivers.
It’s also part of Windows hardening standards that are then pulled into compliance frameworks.
My company installs at least 3 antimalware/security management products that cripple, I mean, protect endpoint systems. 2 vendors. None of them are integrated with each other. So files and executables are all scanned 3x. Git runs abysmally slow because of all the processes involved and tiny files.
One of the reasons I run the paperwork gauntlet to run a Mac. Windows is crippled, Linux is banned on endpoints, so Mac it is. I have to run 1 AV, but it doesn’t do a lot. And I love apple kicking everyone out of the kernel over time (except VirtualBox, that’s annoying).
Luckily it’s mostly an application-level concern on Linux. Scanning files and such on file-servers, mail gateways, etc. ultimately protecting windows systems w/ normal user processes not all up in my kernel, and on limited systems. It actually kinda makes sense.
Now, commercial IDS/IPS, I don’t even want to know how those are architected. I haven’t touched an OSS one (Snort) in years.
If I won the lottery, it would be kind of fun to just sit and find horrific exploits in these things.
You must work where I work. Symantec Endpoint Protection (of course set to scan at any access), CarbonBlack, Avecto, etc etc etc. And because the people complain about it they install stuff like Nexthink to diagnose performance issues.
Eventually you end with a system that has so much latency on every I/O operation and over 60 ETW traces running you can't even run or finish a WPR trace.
