a malware killing an extension might as well just kill osquery itself, so I don't think it changes much whether it's in core or not
p
puffycid
10/23/2021, 7:57 PM
yes i agree malware/hands on key board attacker can kill osquery/extensions
i was referring to the osquery watchdog killing an extension in middle of collection while investigating a system with attacker activity or a malicious file installed
a
alessandrogario
10/23/2021, 11:12 PM
The kill will happen anyway, whether it's core or an extension; if it is an extension at least the core will keep running while the extension is restarted