Channels
doorman
infrastructure
random
zercurity
community-feeds
fleet-dev
code-review
queryhub
apple-silicon
carving
tls
fim
goquery
zentral
aws
querycon
golang
zeek
file-carving
fuzzing
auditing-warroom
linen-dev
fleetosquery
plugins
jobs
arm-architecture
darkbytes
process-auditing
uptycs
android_tests
selfgroup
vendor-feeds
fleet
eclecticiq-polylogyx-extension
ebpf
website
core
general
macos
kolide
osctrl
extensions
foundation
sql
officehours
linux
windows
Title
m
matx
01/19/2022, 4:57 PMCan I replace commercial Linux AV software vendor with osquery and FleetDM specifically? Honest question 🙋♂️ (I have a use case. Current vendor software spikes cpu)
j
Jason
01/19/2022, 5:02 PMI don't know that it's really appropriate for a full AV solution. You'd need to register osquery to watch the whole filesystem (not recommended) and then write yara rules
it can be good for specific use cases, or threat hunting, but I personally wouldn't use it for "generic AV"
Whats your vendor ?
j
jlk
01/19/2022, 5:12 PMyou could probably get the osquery agent to chew a bunch of your CPU with the right query. Would that do? 😉
m
matx
01/19/2022, 5:25 PMYeah I've heard about cpu issues with various osquery queries too. 😔
Yeah it's not a drop in replacement, is it? Without rules and setup and managed queries coming from somewhere. There's no Auto Updating definitions and quarantining files etc?
j
jlk
01/19/2022, 5:28 PMoh I wasn't referring to osquery being a cpu hog, but the AV sw. As a security person, I don't think osquery will do what you want. I saw a FIM plugin the other day that might help. 1 sec..
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/ you could use that and then look for signs of abuse vs signs of malware, but...the core thing the AV companies provide is the signatures/patterns to find malware
j
Jason
01/19/2022, 5:32 PMYeah, osquery is good for FIM, but not really for AV.
FYI, we use SentinelOne for Linux and it's pretty decent.
👍 1
z
zwass
01/19/2022, 5:44 PMYou can also use yara with osquery to look for binary signatures. But I wouldn't argue that it's a drop-in replacement for AV.
m
matx
01/19/2022, 6:24 PMBitDefender is spiking Linux CPU. Looking for alternatives. Need managed cloud. Don't really want to write a lot of rules 🤷♂️
j
Jason
01/19/2022, 7:07 PM@matx you should really look at SentinelOne. Cloud-managed and every bit as good as Crowdstrike at a much more reasonable price point.
👍 1
If it were me, I'd rip and replace bitdefender for S1 any day (having used both).
k
Keith Swagler
01/20/2022, 4:02 PMOr depending on your use-case ClamAV provides classic signature matching with pretty good performance
but if you need something with heuristics or deeper visibility than bad files it won't be a good replacement