Its expertise in malware
It's not fair to shoot at an open goal...
Hey, Linux fans! Microsoft has got your back over fileless threats. Assuming you've bought into the whole Azure Security Center thing. Hot on the heels of a similar release for Windows (if by "hot" you mean "nearly 18 months after") comes a preview aimed at detecting that breed of malware that inserts itself into memory before …
I noticed something strange while logged onto a user's computer today with my credentials .My account has no internet access so you can imagine my surprise when a test page search in IE brought back pages of results. The machine had defaulted to Bing Search in the browser and even though I have NO internet access, Bing was still able to search the internet and bring back results.
So not only does Microsoft collect telemetry and all the rest, it ignores security settings when pushing its own products.
What you are, trying, to claim is completely impossible. If the box had "no internet" then Bing could not have returned a result.
Period.
It would be like disconnecting your Cat5 - no signal. That's not what happened.
Bing, somehow, got a result. That means that, somehow, your box FOUND the internet. No other possibility even exists. Bing cannot create a search result from dead air.
Like it or not, that box has HTTP access. Somehow. You may believe otherwise, but HTTP replies don't lie.
I had a similar experience, where a windows machine with no cable and wifi disabled still seemed to be happily chatting away with IP addresses registered to Microsoft and subsidiaries of Microsoft when you checked with netstat.
Further digging showed that the machine was somehow tunneling out via virtualbox, although how on earth it could do that with no active internet connection is beyond me.
how you detect fileless malware in memory without scanning memory
You watch what processes are trying to do - most malware follows a similar pattern of actions so something trying to do the pattern (or smething close to it) might be malware. So, at the very least, you can pop up a prompt for the users saying that "process xxx is doing odd things, shall I terminate it?"
I'm working here on the assumption that most linux users are vaguely tech-savvy..
I'd rather have Inspector Clouseau guarding my Linux servers.
I can just hear his voice...
Clouseau: Could you sudo and run these Microsoft tools on your server?
PFY: Yes.
Clouseau: Well then, what are you waiting for?
PFY: This is not my server.
Mine comes with a slightly foxed fedora.
No. Linux is open source, yes, but there is no obligation to open source applications on Linux.
If Adobe has a Linux version of PhotoShop, you can bet your last dollar that the code is not open source. Adobe can, however, sell a Linux version of its product. The fact that the OS is open source has nothing to do with that.
Identically, Windows is not open source, but there is nothing to prevent you from creating open source software on Windows.
"Perhaps this is a silly question - do we get to see the source code for the Microsoft program running on a Linux system ?"
That all depends on where they got the source code from. Pascal is right.
Example one: You write a piece of code that is all your own work on a Linux system - You are free to license that code under whatever license, open or closed source, you like.
Example two: You write a piece of code that is all your own work but calls to one or more external programs (say the program "grep" to search a log file for lines containing the string "Error".) Now grep is open-source licensed under the GPL but you are just running it as an external program (AKA "running it at arms length") so you are still free to license your code under any open or closed source license you choose.
Example three: You write a program and you incorporate code from a GPL-licensed program into your code. Say, you take part of the source code of grep and cut and paste it into your code or link to an open-source library and use its functions like they were your own. Now, you must open-source your code under the GPL as you're incorporating someone else's work that requires that into it. Note that compiler libraries are specifically exempt from this so using say the open source "gcc" C compiler doesn't automatically make anything you compile with it open source.