Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
To: <david@...>
Cc: <rmeijer@...>, Alan Cox <alan@...>, <capibara@...>, Eric Paris <eparis@...>, Theodore Tso <tytso@...>, Rik van Riel <riel@...>, <davecb@...>, <linux-security-module@...>, Adrian Bunk <bunk@...>, Mihai Don??u <mdontu@...>, <linux-kernel@...>, <malware-list@...>, Pavel Machek <pavel@...>, Arjan van de Ven <arjan@...>
Date: Friday, August 15, 2008 - 11:57 pm

On Sat, Aug 16, 2008 at 3:31 AM,  <david@lang.hm> wrote:
The threat module you are looking at does not cover all the real world
usage even worse detection of unknown real world threats.

Currently if we have a unknown infection on a  windows partition that
is been shared by linux the scanner on Linux cannot see that the
windows permissions has been screwed with.   OS with badly damaged
permissions is a sign of 1 of three things.   100 percent incompetent
admin, failing harddrive or system is breached.   Now if system is
breached on a partition it is most likely extremely stupid to be
sharing the contents of that partition on a file server until what
breached it has been found and fixed.  Reason until files are cleared
anything on that partition could have a unknown infection that you are
now putting up to server to be spread onto other machines.

You asked how would the Linux Server spread bad stuff to other
systems.   Quite simple be blind miss the warning signs that something
has gone badly wrong in the partition that its getting its files from
and just luck out on a zero day attack with no signature and spread it
around the network leading to more machines in the network having
crippled secuirty.

Blocked from being able to see the real permissions of the file system
takes away one of the means to detect unknowns.   We need every means
of defence we can have.

Remember in a hypervisor environment like http://kvm.sf.net you many
want to scan the OS you are about to run in there before you start it
up.  Particularly if that contained server is going to be serving
files to the network.   You don't want a windows server starting up
that has had its anti-virus defeated spreeding viruses to every other
windows machine in the network.  Particularly if that windows server
is running inside kvm on linux.   Linux is currently not setup for
doing this effectively.  Linux cannot run a Host Intrusion Detection
on the other OS effectively this adds another layer of secuirty to be
breached in a hypervirsor envorment .

Multi OS setups are going to become far more common.  Anti-virus
scanning and threat monitoring needs to move with the times.

Also beware across OS type scanning does have its advantages.  Number
1 a windows virus without the help of wine will not normally infect
linux and vice verser.

Anti-Virus has been for years about chasing the threat.   Lets try to
get in front of it.  You thread model needs a major update its
incomplete.

Peter Dolding
--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfac..., Peter Dolding, (Fri Aug 15, 11:57 pm)
Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfac..., David Collier-Brown, (Sun Aug 17, 5:17 pm)
Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfac..., Arjan van de Ven, (Sat Aug 16, 12:09 am)