Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning

From: david
Date: Fri Aug 15 2008 - 01:34:03 EST

Next message: Al Viro: "Re: [RFC] readdir mess"
Previous message: Tim Hockin: "Re: [patch 1/3] kmsg: Kernel message catalog macros."
In reply to: david: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning"
Next in thread: david: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 14 Aug 2008, david@xxxxxxx wrote:

again, libmalware.so is not referring to any specific body of code, it's referring to the concept that the handling of open/mmap/read/etc and scanning is done via a userspace library rather then by the kernel. if everyone can agree on that concept then hashing out the details of _which_ library it gets put in is a smaller detail.

one reason to layer scanners is that you could have one that just checks to see if the file was deployed from a OS package, if it was (and still has the same hash as the package manager thinks it should have) it sets a flag that other scanners could look for (if they see it they can skip scanning the file)

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Al Viro: "Re: [RFC] readdir mess"
Previous message: Tim Hockin: "Re: [patch 1/3] kmsg: Kernel message catalog macros."
In reply to: david: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning"
Next in thread: david: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]