undefined | Better HN

0 pointsmewpmewp21y ago0 comments

But then again ransomware would happen like you said if they skipped it? And ransomware sounds even worse.

0 comments

The difference is that if windows does the skipping then you probably don't find out until its too late, if the application does the skipping there is the opportunity to set up alerting so you can fix whatever went wrong.

mewpmewp2OP1y ago

Do you mean that the skip would be manually approved after telemetry is sent and folks on-call paged? Then that sounds like it could be viable and a good idea yes.

But always a chance that the skipping mechanism could break as well. And there must be some form of networking available to able to send that and ask for approval.

ctxc1y ago

Exactly! On skipping mechanism breaking - I mean, anything could break. Boils down to design and testing like all things.

One change - this approval and telemetry doesn't happen during the boot loading process. It's just logged and skipped.

Once bootup is done, the EDR app auto starts, checks logs for anomalies and sends telemetry over whenever network is available (it usually is, because they update malware signatures etc frequently). Someone at the company gets paged, they fix and the process continues.

j / k navigate · click thread line to collapse