Re: [malware-list] TALPA - a threat model? well sorta.

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
From: Arjan van de Ven
Date: Thursday, August 14, 2008 - 6:46 am

On Thu, 14 Aug 2008 10:46:55 +0100
tvrtko.ursulin@sophos.com wrote:


close isn't the answer just because you can write content to the file
after that (and that's not just theoretical, glibc stdio supports mmap
etc); "dirty" *has* to be the event anyway. It's not impossible to
solve; even say a 1 second rearming delay would avoid 99.9% of the
useless rescans while still making sure everything gets scanned at some
point. Anyway this kind of policy can be done in userspace (and you can
get really fancy there and offer the admin various policies)


there's quite a few programs that open() but never read.
open+fstat is not uncommon as programming pattern for example;
with async-in-open (and then wait or sync in read) we wouldn't have the
big hit caused by the latency for the sync scan.
(I realize this pattern is much more likely to happen on posixy systems
than it is on windows.. one of those differences ;-)


-- 
If you want to reach me at my work email, use arjan@linux.intel.com
For development, discussion and tips for power savings, 
visit http://www.lesswatts.org
--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
Re: TALPA - a threat model? well sorta., Alan Cox, (Wed Aug 13, 9:24 am)
TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 9:36 am)
Re: TALPA - a threat model? well sorta., Alan Cox, (Wed Aug 13, 9:37 am)
Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 9:47 am)
Re: TALPA - a threat model? well sorta., Greg KH, (Wed Aug 13, 9:57 am)
Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 10:00 am)
Re: TALPA - a threat model? well sorta., Christoph Hellwig, (Wed Aug 13, 10:07 am)
Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Wed Aug 13, 10:39 am)
Re: TALPA - a threat model? well sorta., Theodore Tso, (Wed Aug 13, 11:15 am)
Re: TALPA - a threat model? well sorta., Andi Kleen, (Wed Aug 13, 11:17 am)
Re: TALPA - a threat model? well sorta., H. Peter Anvin, (Wed Aug 13, 11:21 am)
Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Wed Aug 13, 11:21 am)
Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Wed Aug 13, 11:24 am)
Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 11:40 am)
Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 11:57 am)
Re: TALPA - a threat model? well sorta., Eric Paris, (Wed Aug 13, 12:02 pm)
Re: TALPA - a threat model? well sorta., Theodore Tso, (Wed Aug 13, 12:29 pm)
Re: TALPA - a threat model? well sorta., Alan Cox, (Wed Aug 13, 12:59 pm)
RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Wed Aug 13, 2:15 pm)
RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Wed Aug 13, 2:24 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Rik van Riel, (Wed Aug 13, 2:35 pm)
Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Wed Aug 13, 2:39 pm)
Re: TALPA - a threat model? well sorta., 7v5w7go9ub0o, (Wed Aug 13, 5:14 pm)
Re: TALPA - a threat model? well sorta., Mihai , (Wed Aug 13, 5:18 pm)
Re: TALPA - a threat model? well sorta., 7v5w7go9ub0o, (Wed Aug 13, 7:25 pm)
Re: TALPA - a threat model? well sorta., tvrtko.ursulin, (Thu Aug 14, 2:18 am)
Re: [malware-list] TALPA - a threat model? well sorta., tvrtko.ursulin, (Thu Aug 14, 2:30 am)
Re: [malware-list] TALPA - a threat model? well sorta., tvrtko.ursulin, (Thu Aug 14, 2:46 am)
RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Thu Aug 14, 4:58 am)
RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Thu Aug 14, 5:03 am)
RE: [malware-list] TALPA - a threat model? well sorta., tvrtko.ursulin, (Thu Aug 14, 5:27 am)
Re: TALPA - a threat model? well sorta., Arnd Bergmann, (Thu Aug 14, 6:00 am)
Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 6:24 am)
Re: [malware-list] TALPA - a threat model? well sorta., Arjan van de Ven, (Thu Aug 14, 6:46 am)
Re: TALPA - a threat model? well sorta., Eric Paris, (Thu Aug 14, 7:12 am)
Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 8:50 am)
Re: TALPA - a threat model? well sorta., Arjan van de Ven, (Thu Aug 14, 8:57 am)
Re: [malware-list] TALPA - a threat model? well sorta., Eric Paris, (Thu Aug 14, 10:29 am)
Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 12:17 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Eric Paris, (Thu Aug 14, 12:20 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Christoph Hellwig, (Thu Aug 14, 12:34 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 12:41 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Christoph Hellwig, (Thu Aug 14, 1:20 pm)
Re: [malware-list] TALPA - a threat model? well sorta., J. Bruce Fields, (Thu Aug 14, 2:21 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 4:34 pm)
Re: TALPA - a threat model? well sorta., david, (Thu Aug 14, 6:31 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Thu Aug 14, 7:04 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Arjan van de Ven, (Thu Aug 14, 8:41 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Johannes Weiner, (Thu Aug 14, 10:12 pm)
Re: TALPA - a threat model? well sorta., Helge Hafting, (Fri Aug 15, 3:07 am)
Re: TALPA - a threat model? well sorta., Peter Zijlstra, (Fri Aug 15, 3:37 am)
Re: TALPA - a threat model? well sorta., tvrtko.ursulin, (Fri Aug 15, 3:44 am)
RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 6:10 am)
Re: [malware-list] TALPA - a threat model? well sorta., douglas.leeder, (Fri Aug 15, 6:18 am)
Re: [malware-list] TALPA - a threat model? well sorta., Pavel Machek, (Fri Aug 15, 7:31 am)
Re: [malware-list] TALPA - a threat model? well sorta., Pavel Machek, (Fri Aug 15, 7:37 am)
Re: TALPA - a threat model? well sorta., Pavel Machek, (Fri Aug 15, 9:06 am)
RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 9:30 am)
Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Fri Aug 15, 10:04 am)
RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 10:40 am)
Re: [malware-list] TALPA - a threat model? well sorta., Valdis.Kletnieks, (Fri Aug 15, 11:06 am)
RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 11:09 am)
RE: [malware-list] TALPA - a threat model? well sorta., Press, Jonathan, (Fri Aug 15, 11:17 am)
Re: [malware-list] TALPA - a threat model? well sorta., Theodore Tso, (Fri Aug 15, 1:17 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Arjan van de Ven, (Fri Aug 15, 3:05 pm)
Re: [malware-list] TALPA - a threat model? well sorta., David Collier-Brown, (Sun Aug 17, 2:11 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Arjan van de Ven, (Sun Aug 17, 4:26 pm)
Re: [malware-list] TALPA - a threat model? well sorta., Helge Hafting, (Mon Aug 18, 3:02 am)
Re: [malware-list] TALPA - a threat model? well sorta., Helge Hafting, (Mon Aug 18, 3:09 am)
Re: [malware-list] TALPA - a threat model? well sorta., Peter Zijlstra, (Mon Aug 18, 3:14 am)
Re: [malware-list] TALPA - a threat model? well sorta., tvrtko.ursulin, (Mon Aug 18, 3:24 am)
Re: [malware-list] TALPA - a threat model? well sorta., douglas.leeder, (Mon Aug 18, 3:25 am)
Re: TALPA - a threat model? well sorta., david, (Mon Aug 18, 5:21 am)
Re: TALPA - a threat model? well sorta., Pavel Machek, (Mon Aug 18, 6:30 am)
Re: [malware-list] TALPA - a threat model? well sorta., Rik van Riel, (Mon Aug 18, 9:43 am)
Re: TALPA - a threat model? well sorta., david, (Mon Aug 18, 5:03 pm)
Re: [malware-list] TALPA - a threat model? well sorta., J. Bruce Fields, (Tue Aug 19, 2:43 pm)