Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning

On Mon, 18 Aug 2008, David Collier-Brown wrote:

quoted text

> tvrtko.ursulin wrote: >>> Huh? I was never advocating re-scan after each modification and I even >>> explicitly said it does not make sense for AV not only for performance but >>> because it will be useless most of the time. I thought sending out >>> modified notification on close makes sense because it is a natural point, >>> unless someone is trying to subvert which is out of scope. Other have >>> suggested time delay and lumping up. > > Alan Cox wrote: >> You need a bit more than close I imagine, otherwise I can simply keep the >> file open forever. There are lots of cases where that would be natural >> behaviour - eg if I was to attack some kind of web forum and insert a >> windows worm into the forum which was database backed the file would >> probably never be closed. That seems to be one of the more common attack >> vectors nowdays. > > I suspect we're saying "on close" when what's really meant is > "opened for write". In the latter case, the notification would tell > the user-space program to watch for changes, possibly by something as > simple as doing a stat now and another when it gets around to deciding if it > should scan the file. I see lots of room for > user-space alternatives for change detection, depending on how much > state it keeps. Rsync-like, perhaps?

trying to have every scanner program monitor every file that any program opens for write by doing periodic stat commands on it sounds like a very inefficiant process (and unless they then get notified on close as well, how do they know when to stop monitoring?) getting a notification on the transition from scanned -> dirty is much less of a load (yes, it does leave open the possiblilty of a file getting scanned multiple times as it keeps getting dirtied, but that's a policy question of how aggressive the scanner is set to be in scanning files) David Lang --

unsubscribe notice

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/


linux-kernel:
Rusty Russell	Re: 2.6.22-rc3-mm1
Gautham R Shenoy	[PATCH 1/8] Enhance process freezer interface for usage beyond software suspend
Jeffrey V. Merkey	Re: Versioning file system
Alexey Dobriyan	Re: [2.6.22.2 review 09/84] Fix rfkill IRQ flags.
Srivatsa Vaddagiri	Re: [PATCH 7/8] Clean up workqueue.c with respect to the freezer based cpu-hotplug
git:
Oliver Kullmann	Re: how to move with history?
Junio C Hamano	Re: [PATCH 2/3] git-add--interactive: remove hunk coalescing
Shawn O. Pearce	Re: Bugs in Gitosis
Miles Bader	Re: way to automatically add untracked files?
Harvey Harrison	Re: [SoC RFC] libsvn-fs-git: A git backend for the subversion filesystem
linux-netdev:
Timo Teräs	ip xfrm policy semantics
David Miller	Re: [2.6.30-rc3] powerpc: compilation error of mace module
Patrick McHardy	Re: [rfc 02/13] [RFC 02/13] netfilter: nf_conntrack_sip: Add callid parser
webmaster Maintenance	&#32852;&#31995;&#31995;&#32479;&#31649;&#29702;&#21592;
Krzysztof Oledzki	Re: Error: an inet prefix is expected rather than "0/0".
git-commits-head:
Linux Kernel Mailing List	V4L/DVB: tm6000: add special usb request to quit i2c tuner transfer
Linux Kernel Mailing List	OMAP: DSS2: SDI driver
Linux Kernel Mailing List	PCI: introduce pci_pcie_cap()
Linux Kernel Mailing List	ipc/sem.c: move wake_up_process out of the spinlock section
Linux Kernel Mailing List	netfilter: nf_conntrack_sip: add T.38 FAX support
openbsd-misc:
Ted Bullock	Re: Proliant DL380 G3 cannot get on network
Úlfar M. E. Johnson	installing openbsd in xen
Eric Furman	Re: Defending OpenBSD Performance
Tony Abernethy	Re: The Atheros story in much fewer words
Damien Miller	Re: Patching a SSH 'Weakness'