The title is somewhat misleading, as it suggests an io_uring issue when there is none - it's just that anti-virus solutions like Microsoft Defender try to monitor syscalls but don't monitor io_uring.
They're far from guaranteed to catch things they monitor anyway, and I feel they mostly just exist to let enterprise pretend they care about security by buying ineffective band aids and duct tape. I guess a legal defense is more important than a technical one.
StressedDev•3h ago
You are right that this is not an io_uring issue.
I think you under estimate the value of anti-virus. Anti virus software is a good second line of defense. It’s not perfect but it will stop a lot of known malware. This has value.
arghwhat•3h ago
I wouldn't consider it a second line of defense - as a rule of thumb, it will only catch old and overused attack vectors, and rarely well.
Anything novel will fly right past it, and it will have false positives. Plastering ineffective or mildly effective security everywhere in the name of "defense in depth" can have negative value as it reduces diligence in applying more relevant security measures that aren't just a random package install.
nicce•3h ago
It like the last line of defence. If you are lucky, it helps.
the8472•2h ago
Security software can have negative value when it increases attack surface[0], shuts down infrastructure[1], impedes productivity or pushes users towards workarounds that make things overall less secure.
Seems to go back to the old pick 2 of these for your system:
* fast
* secure
* easy
wmf•3h ago
These security tools need to block any system call they don't recognize (fail closed). Obviously this breaks some apps but the alternative is huge security holes.
arghwhat•3h ago
They're far from guaranteed to catch things they monitor anyway, and I feel they mostly just exist to let enterprise pretend they care about security by buying ineffective band aids and duct tape. I guess a legal defense is more important than a technical one.
StressedDev•3h ago
arghwhat•3h ago
Anything novel will fly right past it, and it will have false positives. Plastering ineffective or mildly effective security everywhere in the name of "defense in depth" can have negative value as it reduces diligence in applying more relevant security measures that aren't just a random package install.
nicce•3h ago
the8472•2h ago
[0] page 11 https://services.google.com/fh/files/misc/m-trends-2025-en.p... [1] https://news.ycombinator.com/item?id=41002195