The CrowdStrike incident and how the NXLog agent operates

A Windows kernel driver has the same permissions and access to the machine as the operating system itself. A bug in the Windows kernel driver most often causes the infamous blue screen of death which can be only fixed by booting into safe mode.

The bug was triggered by a content file that was pushed to the endpoints. Such "configuration" content should not be allowed to trigger bugs in code running in privileged mode, i.e. kernel space.

IT teams and users have limited control over automated updates as these are pushed to production systems directly without the possibility of doing tests before rolling out into production.

Following secure software development practices and having proper quality assurance processes can significantly reduce the chances of releasing such software. Various testing methodologies and software development practices such as unit tests, integration and end-to-end tests, fuzzy testing, code coverage, static code analysis, and even formal verification can be carried out to detect problems early during development.

The NXLog Enterprise Edition does not contain and install any custom-developed kernel drivers on any of the supported operating systems. This ensures that code is never executed on the same privilege level as the OS and kernel.

The service runs in user-space to reduce the risk and impact of potential issues. In case of an issue such as a high CPU usage, service crash, or a compatibility problem with another software component, the service can be stopped and uninstalled even remotely through standard management tools, as a software failure should not block access to the host operating system.

NXLog software was designed with the principle of least privilege. On Linux, macOS, and Unix systems the service runs under a non-root account by default, only retaining the privileges it needs. On Windows, our Hardening NXLog guide provides details on how to configure the NXLog agent to run under a regular non-system account.

Some log types need to be collected directly from the operating system. The NXLog Enterprise Edition agent uses standard kernel APIs to interact with the OS that are well tested by the operating system vendor and this provides compatibility without the risk of using kernel drivers.

The NXLog Enterprise Edition can be configured to collect event log data remotely in an agent-less mode without directly installing it on the endpoints and utilizing the log forwarding capabilities of the host operating system. While the agent-based mode provides more flexibility and access to more log sources, using it in an agent-less mode completely eliminates the potential for any problems and interference on the host operating system generating the logs.

The NXLog Enterprise Edition has no embedded auto-update mechanism and software updates cannot be initiated by NXLog in an automatic fashion. We always recommend our customers and users to use traditional software update tools and mechanisms. This allows rigorous update cycles and testing processes to be implemented, giving you full control over how and when updates are rolled out using your own automation tools. Remote configuration updates through NXLog Manager and NXLog Platform are also user-controlled and provide total visibility to you over what configuration changes would be pushed to the agents.

Our release process includes a rigorous quality assurance stage to ensure that functional, stability, and performance requirements are met and no major or critical bugs are included in the release. Our automated testing pipelines execute hundreds of unit, functional, end-to-end, fuzzy, performance, stability, upgrade/downgrade, code analysis, memory leak, and concurrency checks across dozens of supported platforms and CPU architectures that the NXLog Enterprise Edition supports.