Can I replace commercial Linux AV software vendor ...
# fleet
m
Can I replace commercial Linux AV software vendor with osquery and FleetDM specifically? Honest question 🙋‍♂️ (I have a use case. Current vendor software spikes cpu)
j
I don't know that it's really appropriate for a full AV solution. You'd need to register osquery to watch the whole filesystem (not recommended) and then write yara rules
it can be good for specific use cases, or threat hunting, but I personally wouldn't use it for "generic AV"
Whats your vendor ?
j
you could probably get the osquery agent to chew a bunch of your CPU with the right query. Would that do? 😉
m
Yeah I've heard about cpu issues with various osquery queries too. 😔
Yeah it's not a drop in replacement, is it? Without rules and setup and managed queries coming from somewhere. There's no Auto Updating definitions and quarantining files etc?
j
oh I wasn't referring to osquery being a cpu hog, but the AV sw. As a security person, I don't think osquery will do what you want. I saw a FIM plugin the other day that might help. 1 sec..
https://osquery.readthedocs.io/en/stable/deployment/file-integrity-monitoring/ you could use that and then look for signs of abuse vs signs of malware, but...the core thing the AV companies provide is the signatures/patterns to find malware
j
Yeah, osquery is good for FIM, but not really for AV.
FYI, we use SentinelOne for Linux and it's pretty decent.
👍 1
z
You can also use yara with osquery to look for binary signatures. But I wouldn't argue that it's a drop-in replacement for AV.
m
BitDefender is spiking Linux CPU. Looking for alternatives. Need managed cloud. Don't really want to write a lot of rules 🤷‍♂️
j
@matx you should really look at SentinelOne. Cloud-managed and every bit as good as Crowdstrike at a much more reasonable price point.
👍 1
If it were me, I'd rip and replace bitdefender for S1 any day (having used both).
k
Or depending on your use-case ClamAV provides classic signature matching with pretty good performance
but if you need something with heuristics or deeper visibility than bad files it won't be a good replacement