If you can not define this, in a precise manner, then how can we expect

to review the proposed solution to ensure that it matches your needs?
Without that, this patchset is going to go nowhere but into the circular

bin :(
greg k-h

--

Excuse me?  One of those questions had been a very specific yes-or-no one

and I certainly hope that we all can understand either answer to such...
For the record, the question is
"Do you or do you not expect the malware to be active on scanning host?"
I hope that relevance of that to the analysis of software involved in

scanning should be obvious.

--

I do believe for a number of AV vendors the answer is yes.  I will try

to have some offline conversations with the right people at a number of

vendors and work to better define the threats that they wish to or

believe they are able to help mitigate.
--

This is troubling to me.  Why "offline conversations"?  Why are you

being forced to be the mediator here?  Why will these companies not

contribute directly to the development of this code/model in public,

like all other major Linux kernel contributions?
Isn't this the point of the malware-list in the first place?
For them to hide behind _anyone_ seems very suspect.
thanks,
greg k-h

--

I'm going to be trying to get them to talk offline because obviously few

people from the AV industry are stepping up online.  I'm told we'll be

hearing from Sophos tomorrow and hopefully they will have read all of
Yes it is, hopefully if we can move parts of this conversation to

malware list the AV vendors will feel a bit less like this is an us

against them proposition and more like a collaborative effort.  From my

point of view I'd have to say that everyone has been refreshingly
I don't think its hiding, I'm attempting to bring these companies who

just don't understand how to work in public after years of building

walls along at a reasonable pace so noone feels they have to give up or

that finding a real solution is an impossible task.
-Eric
--

On Tue, 05 Aug 2008 20:25:29 -0400
That's not my worry.
My real worry is that the anti-virus companies have been working

with an enforcement policy that has been evolving slowly from the

DOS days, while today's threat model has changed considerably.
I do not see how the proposed hooks would close off a system

sufficiently to claim anything approaching security.
The way forward is to:

1) define a threat model

2) figure out what infrastructure is needed for protection

3) come up with interfaces that also help other software

   (eg. file range inotify to help disk indexing software)
Trying to shoe-horn the DOS anti-virus security model into a

multi-user operating system with networking may not be sufficient

protection for today's world.  Eg. it does not protect against

script virusses fetched off web sites and executed directly in

a browser, office suite or any gnome-vfs enabled program. This

is a major vulnerability in modern systems.
What problem are we really trying to solve?
Which problems are out of scope?
What infrastructure can solve the problem, while being useful

for other things too?
--

All rights reversed.

--

... and which also doesn't into account some of the facilities which

Linux has, that DOS/Windows does not have.
Part of the problem I suspect is that the AV folks have managed to get

CIO's believe that all computer systems need to have anti-virus

software, of the same design that is needed for DOS/Windows systems.

This state of delusion is so bad that apparently some AV engineers

aren't even willing to reason from first principles what is necessary

or not to maintain a secure system.
And arguably, if the goal is security theater, much like the security

lines in airports, perhaps it doesn't matter.  If there are silly

CIO's that are willing to pay for such a thing, regardless of whether

or not it is actually *necessary* to maintain security, one school of

capitalism would say it doesn't matter if it actually provides any

functional value or not.
On the other hand, it seems pretty clear there are plenty of LKML

developers who aren't buying it.  :-)
It may be helpful to separate the threat model into at least three

different scenarios:
	The Linux Desktop (where clueless users may be tricked into

		running malware).
	The Linux File Server (where it is *highly* unlikely to have

		active running malware, since there are no clueless

		users running on said file server), but where malware

		may be stored and read over CIFS, NFS, etc.
	The Linux Mail server is really a restricted case of the Linux

		Fileserver; where the only way in is SMTP, and the

		only protocol out is IMAP/POP.  
Clamav arguably does a very nice job for the third case.  And the

number of ways in and out for a Linux fileserver is sufficiently small

(and there are no clueless users to start the malware program

running), that it's relatively easy to reason about.
In the Linux Desktop case, you do have to worry about clueless users,

but in general you don't have to worry about serving CIFS or NFS on

such boxes.
It seems that the AV folks are trying to argue for a worst case

scenario --- one where yo...
[ message continues ]

...
I'm trying to fill in some other thread models, not all directly related to

virus-scanning, but if we want to get a complete anti-threat model for linux,

we should take them into account too.

In addition I'll add some usage scenarios for later extracting some threat

scenarios ...
Desktop-Users:
I would add the chance of users exporting there locally stored Files via CIFS,

SMB, http, ... for accessing them with there beloveled streaming clients.
Speaking of exporting Files from a Desktop PC  we should also take in account

File-Sharing clients.
Some more examples of a Desktop Users desire would be:

	- copying Files to/from there PDA (BT,USB,WLAN)

	- sharing internet connection with there PDA (BT,USB,WLAN)
Another threads would be:

	- giving access to the Desktop-PC to guest-users for

		 "just let me look up something in the internet"

	  and the guest-user on the Desktop not informing about the (in his point of

	  view) urgent installation of there beloved

	  Browser-malware^H^H^H^H^H -adware ^H^H^H^H^H -extention
For all the Files stored on the Desktop PC we should also take in account,

that the paranoid Desktop user would store them inside a crypted

device/container. Some examples would be: truecrypt-container/-partition,

External crypted Harddrive, ...
... speaking of storing Files I would expect even Desktop Homeusers to store

there Files on a local mini Fileserver (like a Fritz-Box, NSLU2, ...) to

share them with other devices like Multimedia players, ...
Notebook-Users:

------------------------

And then we have the Linux Notebook users. I separate these from the Desktop

users, because they will have most of the Scenarios for Desktop users plus

some additional treats.

	- Connecting to random accesspoints (Airports, Hotels, ...)

	- Exporting there Wireless (BT,WLAN,UMTS, ...) to random people. Sometimes

	  willingly, sometimes unwillingly

	- leaving there Notebooks unattended

		- without Bios password

		- without HDD-encrytion

		- without...
[ message continues ]

T24gRnJpLCBBdWcgOCwgMjAwOCBhdCAzOjQ4IEFNLCBKw7ZyZyBPc3RlcnRhZyA8Sm9lcmcuT3N0

ZXJ0YWdAYXZpcmEuY29tPiB3cm90ZToKPiAgICAgICAgLSBnaXZpbmcgYWNjZXNzIHRvIHRoZSBE

ZXNrdG9wLVBDIHRvIGd1ZXN0LXVzZXJzIGZvcgo+ICAgICAgICAgICAgICAgICAianVzdCBsZXQg

bWUgbG9vayB1cCBzb21ldGhpbmcgaW4gdGhlIGludGVybmV0Igo+ICAgICAgICAgIGFuZCB0aGUg

Z3Vlc3QtdXNlciBvbiB0aGUgRGVza3RvcCBub3QgaW5mb3JtaW5nIGFib3V0IHRoZSAoaW4gaGlz

IHBvaW50IG9mCj4gICAgICAgICAgdmlldykgdXJnZW50IGluc3RhbGxhdGlvbiBvZiB0aGVyZSBi

ZWxvdmVkCj4gICAgICAgICAgQnJvd3Nlci1tYWx3YXJlXkheSF5IXkheSCAtYWR3YXJlIF5IXkhe

SF5IXkggLWV4dGVudGlvbgoKSW5zdGFsbCB0aGUgeGd1ZXN0IHBhY2thZ2Ugb24gRmVkb3JhICh5

dW0gaW5zdGFsbCB4Z3Vlc3QpLCB1c2UgdGhlCmZhc3QgdXNlciBzd2l0Y2ggYXBwbGV0LCBhbmQg

YmUgZG9uZToKCmh0dHA6Ly9kd2Fsc2guZmVkb3JhcGVvcGxlLm9yZy94Z3Vlc3QvCgpodHRwOi8v

ZGFud2Fsc2gubGl2ZWpvdXJuYWwuY29tLzE0Nzc4Lmh0bWwK

--

if you give the guest user access to your account this is the same as the

clueless desktop user.
if you make a new account for that user the standard *nix permissions and

user seperation come to your rescue, they may infect that temporary

account, but that won't infect the normal user.
David Lang

--

Software Conflits

------------------------

Anti-virus Software conflicting with other secuirty software.  This is

a design issue on Windows and some of the hooks different companies

have tried to develop for the Linux world.
Linux systems can have HIDS and other non anti-virus monitoring

software.   On windows realtime scanning can be crippled if you

install 2 anti-viruses at a time due to stuffing up each others hooks.

  We need to avoid this on Linux.  There is more that will want to

monitor the same things as a Antivirus on Linux looking for different

kinds of problems.   Yes the first platform where 1 alone running does

not cut it.
Peter Dolding

--

OK, and if the malware is running on the machine, does the malware

have root (superuser) access?
						- Ted

--