This is something funny to say when the inputs contain malware signatures, which are essentially determined by the malware itself.

I mean, how hard would it be to craft a malware that has the same signature as an important system file? Preferably one that doesn't cause immediate havoc when quarantined, just a BSOD after reboot, so it slips through QA.

Even if the signature is not completely predictable, the bad guys can try as often as they want and there would not even be way to detect these attempts.

No they're not. The tool vendor decides the signature, they pick something characteristic that the malware has and other things don't, that's the whole point.

> how hard would it be to craft a malware that has the same signature as an important system file?

Completely impossible, unless you mean, like, bribe one of the employees to put the signature of a system file instead of your malware or something.

Sure, but they do it following a certain process. It's not that CrowdStrike employees get paid to be extra creative in their job, so you likely could predict what they choose to include in the signature.

In addition to that, you have no pressure to get it right the first time. You can try as often as you want and analyzing the updated signatures you even get some feedback about your attempts.

Which is going to include checking that it doesn't match any OS files.

> You can try as often as you want and analyzing the updated signatures you even get some feedback about your attempts.

As others said, probably only if you can reverse a hash function.

One of the event you can get from the Crowdstrike server runs an arbitrary shell command.

https://www.crowdstrike.com/tech-hub/endpoint-security/the-p...

Like, «We require that your employees opens only links on white list, and social networks cannot be put on this list, and we require managed antivirus / firewall solution, but we are Ok that this solution has backdoor directly for 3rd party organization»?

It is crazy. All these PCI DSS and SOC2 looks like a comedy if they allow such things.

It's an absolute necessity: you can manage Windows updates and a limited set of other updates via things like WSUS. Back when I was at this employer, Adobe Flash and Java plug-in attacks were our largest source of infection. The only way to reliably get those updates installed was to configure everything to run the installer if an old version was detected, and then find some other ways to get it to run.

To do this, we'd often resort to scripts/custom apps just to detect the installation correctly. Too often a machine would be vulnerable but something would keep it from showing up on various tools that limit checks to "Add/Remove Programs" entries or other mechanisms that might let a browser plug-in slip through, so we'd resort various methods all the way down to "inspecting the drive directory-by-directory" to find offending libraries.

We used a similar capability all the way back in the NIMDA days to deploy an in-house removal tool[1]

[0] Symantec Endpoint Protection and System Center Configuration Manager

[1] I worked at a large telecom at that time -- our IPS devices crashed our monitoring tool when the malware that immediately followed NIMDA landed. The result was a coworker and I dissecting/containing it and providing the findings to Trend Micro (our A/V vendor at the time) maybe 30 minutes before the news started breaking and several hours before they had anything that could detect it on their end.