Facebook creates Osquery for Windows version


This week, Facebook finally succeeded in porting its detection tool that is SQL powered known as osquery to Windows. This will afford users an open source method that is free to use in monitoring as well as diagnosing problems with networks. Users will be able to write queries with SQL so as to detect malicious activity or intrusions across networks which would be converted to relational databases.

The open source tool by Facebook has been on since 2014 and has been working across platforms like CentOS, operating system of Mac OS X, and Ubuntu. Although Facebook cannot be said to be the major shop for Windows, the company said they were moved to create such after many users started asking for a version that will work with Windows 10. What the tool does is that it visualises data by reimagining the process it uses to run while making use of such things as network connections that are open, kernel modules which are seen as SQL table.
Facebook security engineer, Nick Anderson, said the company does so periodically so as to get information concerning it corporate network browser extensions. So it is easier to detect malicious extensions and get rid of them.


It was a former engineer with Facebook, Mike Arpaia, that who was part of the osquery team that disclosed in March a version for Windows that will feature a monitoring daemon, have cross-platform support, and also development system that is active.

The developers who helped Facebook port osquery to Windows – Trail of Bits noted that they experienced some challenges. One of them, Artem Dinaburg said that in some case, a new functionality had to be recreated, substitutions made, and even bugs fixed.

In order to be convinced that the tool could detect intrusion, the company had get tables that were important to the osquery core and have then reengineered. This requires that the developers had to create a special script and also add functionality that will enable the tables to get information from processes that are running in the background.

Read about Windows 11!

Dinaburg also notes that the osquery developed for Windows can support certificate validation and TLS remote endpoints. This will mean that osquery created for Windows will be able to run with other osquery tools such as Doorman and will allow users to be able to manage their configurations gotten by nodes even on the version for Windows.


CEO of Trial of Bits, Dan Guido said that since the tool has the ability to run on desktop configurations, it will be much easier for the systems to be monitored by network administrators.

He also said that for those that already runs osquery, it will make it easier for the version for Windows to be integrated which will result in more efficiency.

Facebook and Trail of Bits are hoping that other organizations that are yet to make use of Linux systems or Mac OS X will be more willing to adopt osquery and make use of it to have a more secured system.