It's not an anti-virus, it's intended to monitor all and everything on the machine. You^WAn attacker might want to hide what you're doing and thus it runs at that level.

You may be right but they do market it as "Next-Generation Antivirus (NGAV)"/"Antivirus with Threat Intelligence" probably because it's a word people are familiar with

[CrowdStrike Falcon® Pro: Antivirus with Threat Intelligence](https://www.crowdstrike.com/products/bundles/falcon-pro/)

I understand that these "NGAV" must be in ring 0 (device driver) because they want to inspect more things directly. And be more protected there, avoiding being attacked. I'm not sure they can achieve this.

The Linux version of CS sensor defaults to being installed as a kernel module as well.

via Reddit, don't know where so can't credit:

Kernel panic observed after booting 5.14.0-427.13.1.el9_4.x86_64 by falcon-sensor process -- https://access.redhat.com/solutions/7068083 -- 1 month ago

Who would trust that?

your employer's IT department

The cyber unit within IT is more likely, those ones are besotted with ticking compliance checkboxes, the delegation of responsibility and a game of musical chairs at any cost.

It is even more likely that IT was at loggerheads with cyber, but nowadays cyber seems to be able to trump everything and everyone.

This is a management move. IT probably wasn't in the loop, since this effectively reduce the responsibilities of IT in terms of compliance.

And especially their auditors

I work in a customer-facing role for a similar product. The handful of customers that asked about kernel modules / drivers saw it as a plus not a con.

I complained specifically about that and they bounced it back to me like this was safe and cannot use the machine as I want.

A business that is party to a contract that requires the use of such software.