Can I replace commercial Linux AV software vendor with osquery and FleetDM specifically? Honest question 🙋♂️ (I have a use case. Current vendor software spikes cpu)
j
Jason
01/19/2022, 5:02 PM
I don't know that it's really appropriate for a full AV solution. You'd need to register osquery to watch the whole filesystem (not recommended) and then write yara rules
it can be good for specific use cases, or threat hunting, but I personally wouldn't use it for "generic AV"
Whats your vendor ?
j
jlk
01/19/2022, 5:12 PM
you could probably get the osquery agent to chew a bunch of your CPU with the right query. Would that do? 😉
m
matx
01/19/2022, 5:25 PM
Yeah I've heard about cpu issues with various osquery queries too. 😔
Yeah it's not a drop in replacement, is it? Without rules and setup and managed queries coming from somewhere. There's no Auto Updating definitions and quarantining files etc?
j
jlk
01/19/2022, 5:28 PM
oh I wasn't referring to osquery being a cpu hog, but the AV sw. As a security person, I don't think osquery will do what you want. I saw a FIM plugin the other day that might help. 1 sec..