RE: [malware-list] [RFC 0/5] [TALPA] Intro to a linuxinterfaceforon access scanning

[Press, Jonathan]

>> I think you might be missing the point a bit here, as the traditional
Unix model that 
>> Linux has prevents much of what the "traditional AV" products need to
do, right?

Is your point that Linux and Unix machines are less vulnerable to
viruses?  If so, that's not relevant to my point at all.  A Unix machine
can be a carrier, passing infections on to other vulnerable platforms
(guess which one).  An enterprise security system sees the entire
enterprise as an integrated whole -- not just individual machines with
their own separate attributes and no impact on each other at all.


>>So how are you going about preventing the "infection from arriving"
>> with this proposed patchset?

I'm not endorsing or opposing the proposal until I digest it further.

However, I will say that while preventing infections from arriving is
not foolproof, doing a scan-on-close with the option to delete or
quarantine an infected file goes a long way.


Jon





-----Original Message-----
From: Greg KH [mailto:greg@xxxxxxxxx] 
Sent: Tuesday, August 05, 2008 2:12 PM
To: Press, Jonathan
Cc: Arjan van de Ven; Eric Paris; linux-kernel@xxxxxxxxxxxxxxx;
malware-list@xxxxxxxxxxxxxxxx; linux-security-module@xxxxxxxxxxxxxxx
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a
linuxinterfaceforon access scanning


A: No.
Q: Should I include quotations after my reply?

On Tue, Aug 05, 2008 at 02:04:26PM -0400, Press, Jonathan wrote:
> I'm not sure if this is off the direct idea of this thread, or if I am
> possibly missing the whole point.

I think you might be missing the point a bit here, as the traditional
Unix model that  Linux has prevents much of what the "traditional AV"
products need to do, right?

> However, I want to point out that scanning on close is still an
integral
> part of AV protection, even if intercepting opens and execs
> theoretically catches everything.

Great, then put a hook in glibc and catch all closes and then kick off
your scanning.

> You can say that there are four parts to the malware life cycle --
> getting on a machine, residing there, causing local damage, and
> propagating elsewhere.  It is part of the philosophy of AV protection
> that you do everything you can to prevent all of them.

But this proposed patchset does not do much to prevent all of these,
right?

> That's why there are scans on close, scheduled scans, and scans on
> open.  Most of our users employ all three and do not rely on one or
> two.  If an infection arrives on a machine and finds a home because it
> is assumed that it will be caught when it is opened for use, then it
> is just one more compromise away from doing damage and/or spreading.

So how are you going about preventing the "infection from arriving" with
this proposed patchset?

Isn't that something that SELinux or another LSM can prevent better?

thanks,

greg k-h

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/