Post

rant pt1 - when you use our product, time goes backwards

Posted Updated
By ka 2 min read

Venting

Found this little nugget when checking my old screenshots looking for blog post worthy material, and…. it’s barely that. More of a timesink, gritting teeth, frustration and bad vendor response from 2021

I’m personally glad that I do not have to work the with the cyber owl again as it just about hit all my trigger points in quick succession.

  • as below screenshots, md5 hashes are premiered as the platform is built around it. Using or expecting to use sha1/sha256 (where the industry is quickly moving to sha256 in alot of edr products) is basically a no-go as you cannot manage the edr prevention actions and perform actions on sha256 hashes (WTFvck!) (like really, wtf!)

then what the fuck happens if the ioc list i have or have received does not contain md5?

  • it got even worse, where non-md5 could not be used for reputation checking (oh come the fvck on!)
  • and uploading a csv file containing sha1/sha256 did not generate a human compatible error, like “the entry is invalid”, like the fvck does that mean?

bleh

oh oh oh, it got worse. Using the edr sample action, letting the sensor trigger and download a suspicious file so that an analyst can analyse it was a story in itself…

  • the sample was archived and password protected…. with a non standard password e.g not “infected” as is used by every platform and vendor unless you are from fucking Jupiter and hate humans. It also was not a password displayed one time for the analyst performing the action, it was as far as I remember a static password found in the effing manual, really? really? they’re from effing Jupiter, I swear.

Oh I almost forgot. The archive was somehow only compatible with a MacOS filesystem even tough it looked like a normal archive according to file command and byte exploring the magick bytes etc. Ridiculous and I did not get any support regarding how to make a downloaded sample compatible across platfors, they basically shrugged and moved on….

  • Wow, I basically glossed over their cyber UI and visual query builder. In case you were starting to be lenient, this was the moment when they cemented their hate for analysts in particular with it’s querkiness and backwards query usage, “connections, which are Connections of Process, which are Processes of Machine”…. (like what does that even mean?!?) come on man, it’s almost unintelligible

Rant over

So so so glad, that I’m not touching that platform with a stick anytime soon. Moving on to CS and Defender have made my struggle less and get stuck even less. Thank the heavens.

Cheers.

homelab
homelab software troubleshooting edr vendors
This post is licensed under CC BY 4.0 by the author.