Re: [RFC 0/5] [TALPA] Intro to a linux interface for on access scanning

[David Wagner]

Eric Paris  wrote:
>There is a consensus in the security industry that protecting against
>malicious files (viruses, root kits, spyware, ad-ware, ...) by the way
>of so-called on-access scanning is usable and reasonable approach.

This is at odds with my experience.  Are you sure you've been talking to
the right people?  Is it possible you've only been talking to A/V vendors?
I find it entirely plausible that there is such a consensus among A/V
vendors, but I'm pretty skeptical that the rest of the security community
would make this kind of claim.  What I hear, instead, is quite a bit of
skepticism about the future of A/V.

Here's an experiment for you.  Walk up to a random security expert and
ask them what they think of blacklisting as a foundation for building
secure systems.  Ask them what they think of the future of A/V in security
and whether they think A/V will be of increasing or decreasing relevance
to security in the future.  The answers might be educational.  Actually,
I suspect it's even possible you might find that many knowledgeable A/V
insiders privately share some of these same concerns about the future
of A/V -- look at how pretty much every major A/V vendor out there is
looking to diversify, to expand into other areas of computer security
and compliance, and to move beyond signature-based file scanners.

If you picked a bunch of computer security experts who don't work for an
A/V vendor and asked them what they thought about all this, I suspect
they'd be more likely to line up behind the kinds of comments that Ted
Tso has been posting.  Personally, I think Ted's comments have been
highly constructive, thoughtful, and well worth re-reading.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/