I have to say, it saved our ass a few months ago. Some hacker got access to one of multiple brands server infrastructure, started running PowerShell to weed through the rest and CrowdStrike notified us (the owning brand) that something was off about the PowerShell being ran. Turns out this small brand was running a remote in tool that had an exploit. Had Crowdstrike not been on that server we wouldn't have known until someone manually got in there to look at it.

Happy to know it works when needed!

But the implementation (when running on user PC:s) is still half-baked.

My experience is using PC with Crowdstrike for daily software development. In that setting it’s quite terrible.

The server setting sounds a much more reasonable use.

I've had CrowdStrike completely delete a debug binary I ran from Visual Studio. Its injected module in every single process shows up in all of our logging.

Yep. Exactly this and more.

I assume if you weren't running crowdstrike, you would have still had logging/alerting systems set up, no?

What specifically makes it "incredibly incompetently implemented", and would you simply derisively describe any system that can push updates requiring admin access a "rootkit", or is there some way you envision a "competently implemented rootkit" operating? Your opinion seems incredibly strong so I'm just curious how you arrived at it? I'm not in IT, but the idea of both rolling out updates remotely and outsourcing the timely delivery of these updates to my door* is a no brainer.

* if not directly to all my thousands of PCs without testing, which is 100% a "me" task and not a "that cloud provider over there" task

It's "rootkit" because it literally implements remote code execution as root as a feature.

Rootkit means Crowdstrike literally intercepts commands before they can be executed in the CPU. It is like letting a third party implant a chip in your brain. If the chip thinks the command in your head is malicious, it will stop your brain from ever receiving the command.