RE: [malware-list] TALPA - a threat model? well sorta.

view
thread

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Press, Jonathan

Subject: RE: [malware-list] TALPA - a threat model? well sorta.

Date: Wednesday, August 13, 2008 - 2:15 pm

> -----Original Message-----
quoted text> From: malware-list-bounces@dmesg.printk.net [mailto:malware-list-
> bounces@dmesg.printk.net] On Behalf Of Theodore Tso
> Sent: Wednesday, August 13, 2008 3:29 PM
> To: Eric Paris
> Cc: peterz@infradead.org; linux-kernel@vger.kernel.org; malware-
> list@lists.printk.net; hch@infradead.org; andi@firstfloor.org;
> viro@ZenIV.linux.org.uk; alan@lxorguk.ukuu.org.uk; Arjan van de Ven
> Subject: Re: [malware-list] TALPA - a threat model? well sorta.
> 

 
quoted text> Also something else that is needed is support for multiple clients.
> (i.e., what happens if the user runs two virus checkers, or a virus
> checker plus a hierarchical storage manager driving a tape robot, or
> all of the above plus trackerd --- where some clients need to block
> open(2) access, and some do not need block open(2) --- and in the case
> of HSM, ordering becomes important; you want to retrieve the file from
> the tape robot first, *then* scan it using the virus checker.  :-)

The issue of multiple clients does need to be accounted for.  However, I
will mention that it is unusual (at least in my experience) to actually
run two AV products at the same time in "realtime" mode.  We strongly
recommend that anyone who installs our product should remove any other
AV product on the system -- for technical reasons, not financial --
since they've already paid for ours by the time they get to this point.
I am not aware of anyone objecting to that idea.


quoted text> I'm just arguing that there should be absolutely *no* support in the
> kernel for solving this particular problem, since the question of
> whether a file has been scanned with a particular version of the virus
> DB is purely a userspace problem.

Caching of previous results can be done in either user space or kernel
space.  We have seen it both ways.  Wherever it is done, I would say
that rather than record AV signature file version numbers, there should
be a mechanism for the application to invalidate or flush the cache
whenever a signature update is done.  There are other circumstances
where that would also be useful -- such as if the user changes a
scanning option in a way that increases the strictness of the scan.  In
other words, a file that was marked as clean based on one level of
strictness may not be clean under a stricter scan.  You wouldn't want
the cache to prevent it from being scanned under such circumstances.


Jon Press
--
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: TALPA - a threat model? well sorta., Alan Cox, (Wed Aug 13, 9:24 am)

TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 9:36 am)

Re: TALPA - a threat model? well sorta., Alan Cox, (Wed Aug 13, 9:37 am)

Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 9:47 am)

Re: TALPA - a threat model? well sorta., Greg KH, (Wed Aug 13, 9:57 am)

Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 10:00 am)

Re: TALPA - a threat model? well sorta., Christoph Hellwig, (Wed Aug 13, 10:07 am)

Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Wed Aug 13, 10:39 am)

Re: TALPA - a threat model? well sorta., Theodore Tso, (Wed Aug 13, 11:15 am)

Re: TALPA - a threat model? well sorta., Andi Kleen, (Wed Aug 13, 11:17 am)

Re: TALPA - a threat model? well sorta., H. Peter Anvin, (Wed Aug 13, 11:21 am)

Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Wed Aug 13, 11:21 am)

Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Wed Aug 13, 11:24 am)

Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 11:40 am)

Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 11:57 am)

Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 12:02 pm)

Re: TALPA - a threat model? well sorta., Theodore Tso, (Wed Aug 13, 12:29 pm)

Re: TALPA - a threat model? well sorta., Alan Cox, (Wed Aug 13, 12:59 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Alan Cox, (Wed Aug 13, 2:13 pm)

RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Wed Aug 13, 2:15 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Alan Cox, (Wed Aug 13, 2:23 pm)

RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Wed Aug 13, 2:24 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Rik van Riel, (Wed Aug 13, 2:35 pm)

Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Wed Aug 13, 2:39 pm)

Re: TALPA - a threat model? well sorta., 7v5w7go9ub0o, (Wed Aug 13, 5:14 pm)

Re: TALPA - a threat model? well sorta., Mihai , (Wed Aug 13, 5:18 pm)

Re: TALPA - a threat model? well sorta., 7v5w7go9ub0o, (Wed Aug 13, 7:25 pm)

Re: TALPA - a threat model? well sorta., tvrtko.ursulin, (Thu Aug 14, 2:18 am)

Re: [malware-list] TALPA - a threat model? well sorta., tvrtko.ursulin, (Thu Aug 14, 2:30 am)

Re: [malware-list] TALPA - a threat model? well sorta., tvrtko.ursulin, (Thu Aug 14, 2:46 am)

RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Thu Aug 14, 4:58 am)

RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Thu Aug 14, 5:03 am)

RE: [malware-list] TALPA - a threat model? well sorta., tvrtko.ursulin, (Thu Aug 14, 5:27 am)

Re: [malware-list] TALPA - a threat model? well sorta., Mihai , (Thu Aug 14, 5:34 am)

Re: TALPA - a threat model? well sorta., Arnd Bergmann, (Thu Aug 14, 6:00 am)

Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 6:24 am)

Re: [malware-list] TALPA - a threat model? well sorta., Arjan van de Ven, (Thu Aug 14, 6:46 am)

Re: [malware-list] TALPA - a threat model? well sorta., Eric Paris, (Thu Aug 14, 6:48 am)

Re: TALPA - a threat model? well sorta., Eric Paris, (Thu Aug 14, 7:12 am)

Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 8:50 am)

Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Thu Aug 14, 8:57 am)

Re: [malware-list] TALPA - a threat model? well sorta., Eric Paris, (Thu Aug 14, 10:29 am)

Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 12:17 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Eric Paris, (Thu Aug 14, 12:20 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Christoph Hellwig, (Thu Aug 14, 12:34 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 12:41 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Christoph Hellwig, (Thu Aug 14, 1:20 pm)

Re: [malware-list] TALPA - a threat model? well sorta., J. Bruce Fields, (Thu Aug 14, 2:21 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 4:34 pm)

Re: TALPA - a threat model? well sorta., david, (Thu Aug 14, 6:31 pm)

Re: [malware-list] TALPA - a threat model? well sorta., david, (Thu Aug 14, 6:37 pm)

Re: [malware-list] TALPA - a threat model? well sorta., david, (Thu Aug 14, 6:44 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 7:04 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Eric Paris, (Thu Aug 14, 8:25 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Arjan van de Ven, (Thu Aug 14, 8:41 pm)

Re: [malware-list] TALPA - a threat model? well sorta., david, (Thu Aug 14, 9:48 pm)

Re: [malware-list] TALPA - a threat model? well sorta., david, (Thu Aug 14, 10:05 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Johannes Weiner, (Thu Aug 14, 10:12 pm)

Re: [malware-list] TALPA - a threat model? well sorta., david, (Thu Aug 14, 10:28 pm)

Re: [malware-list] TALPA - a threat model? well sorta., david, (Thu Aug 14, 10:36 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Alan Cox, (Fri Aug 15, 1:51 am)

Re: TALPA - a threat model? well sorta., Helge Hafting, (Fri Aug 15, 3:07 am)

Re: TALPA - a threat model? well sorta., Peter Zijlstra, (Fri Aug 15, 3:37 am)

Re: TALPA - a threat model? well sorta., tvrtko.ursulin, (Fri Aug 15, 3:44 am)

RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 6:10 am)

Re: [malware-list] TALPA - a threat model? well sorta., douglas.leeder, (Fri Aug 15, 6:18 am)

Re: [malware-list] TALPA - a threat model? well sorta., Pavel Machek, (Fri Aug 15, 7:31 am)

Re: [malware-list] TALPA - a threat model? well sorta., Pavel Machek, (Fri Aug 15, 7:37 am)

Re: TALPA - a threat model? well sorta., Pavel Machek, (Fri Aug 15, 9:06 am)

RE: [malware-list] TALPA - a threat model? well sorta., david, (Fri Aug 15, 9:25 am)

RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 9:30 am)

Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Fri Aug 15, 10:04 am)

RE: [malware-list] TALPA - a threat model? well sorta., david, (Fri Aug 15, 10:33 am)

RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 10:40 am)

RE: [malware-list] TALPA - a threat model? well sorta., david, (Fri Aug 15, 10:47 am)

Re: [malware-list] TALPA - a threat model? well sorta., Valdis.Kletnieks, (Fri Aug 15, 11:06 am)

RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 11:09 am)

RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 11:17 am)

Re: [malware-list] TALPA - a threat model? well sorta., david, (Fri Aug 15, 1:05 pm)

RE: [malware-list] TALPA - a threat model? well sorta., david, (Fri Aug 15, 1:08 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Jan Harkes, (Fri Aug 15, 1:16 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Fri Aug 15, 1:17 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Arjan van de Ven, (Fri Aug 15, 3:05 pm)

Re: [malware-list] TALPA - a threat model? well sorta., David Collier-Brown, (Sun Aug 17, 2:11 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Eric Paris, (Sun Aug 17, 4:19 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Arjan van de Ven, (Sun Aug 17, 4:26 pm)

Re: [malware-list] TALPA - a threat model? well sorta., Helge Hafting, (Mon Aug 18, 3:02 am)

Re: [malware-list] TALPA - a threat model? well sorta., Helge Hafting, (Mon Aug 18, 3:09 am)

Re: [malware-list] TALPA - a threat model? well sorta., Peter Zijlstra, (Mon Aug 18, 3:14 am)

Re: [malware-list] TALPA - a threat model? well sorta., tvrtko.ursulin, (Mon Aug 18, 3:24 am)

Re: [malware-list] TALPA - a threat model? well sorta., douglas.leeder, (Mon Aug 18, 3:25 am)

Re: TALPA - a threat model? well sorta., david, (Mon Aug 18, 5:21 am)

Re: TALPA - a threat model? well sorta., Pavel Machek, (Mon Aug 18, 6:30 am)

Re: [malware-list] TALPA - a threat model? well sorta., Alan Cox, (Mon Aug 18, 8:33 am)

Re: [malware-list] TALPA - a threat model? well sorta., Rik van Riel, (Mon Aug 18, 9:43 am)

Re: TALPA - a threat model? well sorta., david, (Mon Aug 18, 5:03 pm)

Re: [malware-list] TALPA - a threat model? well sorta., J. Bruce Fields, (Tue Aug 19, 2:43 pm)

Navigation

Popular discussions


linux-kernel:
Ingo Molnar	Re: [patch] e1000=y && e1000e=m regression fix
Greg Kroah-Hartman	[PATCH 20/36] Driver core: Call device_pm_add() after bus_add_device() in device_a...
Boaz Harrosh	how to use KBUILD_EXTRA_SYMBOLS
Brandeburg, Jesse	RE: [regression] e1000e broke e1000 (was: Re: [ANNOUNCE] e1000 toe1000e migration ...
Pekka Enberg	Re: [PATCH] include/linux/slab.h: new KFREE() macro.
git:
Bill Lear	cpio command not found
Jing Xue	Re: git rm --cached
Fredrik Kuivinen	Re: fatal: unable to create '.git/index': File exists
Johannes Schindelin	Re: [PATCH 1/3 v2] Implement the patience diff algorithm
Johannes Sixt	Re: How to pull remote branch with specified commit id?
linux-netdev:
Jamie Lokier	Re: POHMELFS high performance network filesystem. Transactions, failover, performa...
Oliver Neukum	Re: [RFC] Patch to option HSO driver to the kernel
Paulius Zaleckas	Re: [RFC] Patch to option HSO driver to the kernel
Timo Teräs	ip xfrm policy semantics
Ron Mercer	[net-next PATCH 2/2] qlge: Version change to v1.00.00.27
openbsd-misc:
Tomas Bodzar	Re: OpenSMTPd actual development and integration
Netmaffia.hu	Tini Lányok AKCIÓBAN OTTHON
Bryan Irvine	Re: DVD burn error: No space left on device
Sevan / Venture37	Re: This is what Linus Torvalds calls openBSD crowd
Siju George	This is what Linus Torvalds calls openBSD crowd
git-commits-head:
Linux Kernel Mailing List	powerpc/fsl_msi: enable msi allocation in all banks
Linux Kernel Mailing List	[ARM] mmp: avengers lite (pxa168) board bring up
Linux Kernel Mailing List	via82cxxx: add support for VT6415 PCIE PATA IDE Host Controller
Linux Kernel Mailing List	checkpatch: warn on declaration with storage class not at the beginning
Linux Kernel Mailing List	USB: remove duplicate entry in Option driver and Pl2303 driver for Huawei modem

Colocation donated by:

Syndicate