Title
#fleet
m

matx

01/19/2022, 4:57 PM
Can I replace commercial Linux AV software vendor with osquery and FleetDM specifically? Honest question 🙋‍♂️ (I have a use case. Current vendor software spikes cpu)
j

Jason

01/19/2022, 5:02 PM
I don't know that it's really appropriate for a full AV solution. You'd need to register osquery to watch the whole filesystem (not recommended) and then write yara rules
5:03 PM
it can be good for specific use cases, or threat hunting, but I personally wouldn't use it for "generic AV"
5:03 PM
Whats your vendor ?
jlk

jlk

01/19/2022, 5:12 PM
you could probably get the osquery agent to chew a bunch of your CPU with the right query. Would that do? 😉
m

matx

01/19/2022, 5:25 PM
Yeah I've heard about cpu issues with various osquery queries too. 😔
5:27 PM
Yeah it's not a drop in replacement, is it? Without rules and setup and managed queries coming from somewhere. There's no Auto Updating definitions and quarantining files etc?
jlk

jlk

01/19/2022, 5:28 PM
oh I wasn't referring to osquery being a cpu hog, but the AV sw. As a security person, I don't think osquery will do what you want. I saw a FIM plugin the other day that might help. 1 sec..
5:29 PM
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/ you could use that and then look for signs of abuse vs signs of malware, but...the core thing the AV companies provide is the signatures/patterns to find malware
j

Jason

01/19/2022, 5:32 PM
Yeah, osquery is good for FIM, but not really for AV.
5:33 PM
FYI, we use SentinelOne for Linux and it's pretty decent.
👍 1
zwass

zwass

01/19/2022, 5:44 PM
You can also use yara with osquery to look for binary signatures. But I wouldn't argue that it's a drop-in replacement for AV.
m

matx

01/19/2022, 6:24 PM
BitDefender is spiking Linux CPU. Looking for alternatives. Need managed cloud. Don't really want to write a lot of rules 🤷‍♂️
j

Jason

01/19/2022, 7:07 PM
@matx you should really look at SentinelOne. Cloud-managed and every bit as good as Crowdstrike at a much more reasonable price point.
👍 1
7:08 PM
If it were me, I'd rip and replace bitdefender for S1 any day (having used both).
Keith Swagler

Keith Swagler

01/20/2022, 4:02 PM
Or depending on your use-case ClamAV provides classic signature matching with pretty good performance
4:03 PM
but if you need something with heuristics or deeper visibility than bad files it won't be a good replacement