imagladry

ianbetteridge said:

M68000 said:

This seems to be totally a QA testing issue.  Was any testing done? 

So the answer to this is, "it's complicated". Some of this is going to be a bit simplified, but it's accurate enough.

Software on Windows can run in two modes: kernel mode; and user mode. User mode software shouldn't ever be able to cause a BSOD.

Security software needs to run in kernel mode. There are good reasons for this: malware often hides deep in the OS in places where user mode software can't find it. CrowdStrike Falcon works like a device drive, which allows it to reside in kernel mode and access system data structures and services.

"Heck," you're thinking, "so can anyone write a device driver and get their software running in kernel mode?" Well, no: Windows will display a warning unless a driver has passed Microsoft's WHQL testing process. In some cases, Windows won't even allow the driver to run.

Falcon is WHQL certified, so it *should* be pretty robust and not cause a BSOD. But there's a catch: it relies on dynamic definition files, which are deployed to update its configuration. From what I hear, Crowdstrike accidentally deployed one which contained nothing but zeros, which led to a catastrophic error. In other words, they simply deployed the wrong file. No testing will catch that -- it's a file that wasn't meant to be deployed at all.

ianbetteridge said:

M68000 said:

This seems to be totally a QA testing issue.  Was any testing done? 

So the answer to this is, "it's complicated". Some of this is going to be a bit simplified, but it's accurate enough.

Software on Windows can run in two modes: kernel mode; and user mode. User mode software shouldn't ever be able to cause a BSOD.

Security software needs to run in kernel mode. There are good reasons for this: malware often hides deep in the OS in places where user mode software can't find it. CrowdStrike Falcon works like a device drive, which allows it to reside in kernel mode and access system data structures and services.

"Heck," you're thinking, "so can anyone write a device driver and get their software running in kernel mode?" Well, no: Windows will display a warning unless a driver has passed Microsoft's WHQL testing process. In some cases, Windows won't even allow the driver to run.

Falcon is WHQL certified, so it *should* be pretty robust and not cause a BSOD. But there's a catch: it relies on dynamic definition files, which are deployed to update its configuration. From what I hear, Crowdstrike accidentally deployed one which contained nothing but zeros, which led to a catastrophic error. In other words, they simply deployed the wrong file. No testing will catch that -- it's a file that wasn't meant to be deployed at all.