Can I replace commercial Linux AV software vendor with osquery and FleetDM specifically? Honest question 🙋‍♂️ (I have a use case. Current vendor software spikes cpu)

I don't know that it's really appropriate for a full AV solution. You'd need to register osquery to watch the whole filesystem (not recommended) and then write yara rules

you could probably get the osquery agent to chew a bunch of your CPU with the right query. Would that do? 😉

Yeah I've heard about cpu issues with various osquery queries too. 😔

oh I wasn't referring to osquery being a cpu hog, but the AV sw. As a security person, I don't think osquery will do what you want. I saw a FIM plugin the other day that might help. 1 sec..

Yeah, osquery is good for FIM, but not really for AV.

You can also use yara with osquery to look for binary signatures. But I wouldn't argue that it's a drop-in replacement for AV.

BitDefender is spiking Linux CPU. Looking for alternatives. Need managed cloud. Don't really want to write a lot of rules 🤷‍♂️

@matx you should really look at SentinelOne. Cloud-managed and every bit as good as Crowdstrike at a much more reasonable price point.

Or depending on your use-case ClamAV provides classic signature matching with pretty good performance