Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linuxinterface for on access scanning

From: douglas . leeder
Date: Mon Aug 18 2008 - 12:28:36 EST

Next message: Langsdorf, Mark: "RE: Warning in during hotplug on 2.6.27-rc2-git5"
Previous message: Eric Paris: "Re: [malware-list] scanner interface proposal was: [TALPA]Intro to a linux interface for on access scanning"
In reply to: Peter Dolding: "Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

malware-list-bounces@xxxxxxxxxxxxxxxx wrote on 2008-08-18 15:25:11:

> On Mon, Aug 18, 2008 at 02:15:24PM +0100, tvrtko.ursulin@xxxxxxxxxx
wrote:
> > Then there is still a question of who allows some binary to declare
itself
> > exempt. If that decision was a mistake, or it gets compromised
security
> > will be off. A very powerful mechanism which must not be easily
> > accessible. With a good cache your worries go away even without a
scheme
> > like this.
>
> I have one word for you --- bittorrent. If you are downloading a very
> large torrent (say approximately a gigabyte), and it contains many
> pdf's that are say a few megabytes a piece, and things are coming in
> tribbles, having either a indexing scanner or an AV scanner wake up
> and rescan the file from scratch each time a tiny piece of the pdf
> comes in is going to eat your machine alive....

What size is a tribble? :-)

If we assume that the bittorrent client is closing and re-openning the
file
each time it's got a nice piece of the file? (Otherwise I don't think
we'll have a performance problem)

Then there maybe room for a optimisation of the following form:
For a file X.
If X is only a local disk.
If X was written from empty by process A and only process A.
Then don't scan attempts to open by process A.

But that sort of optimisation can either be done in user-space, or in a
future
kernel modification.

I haven't fully analysed this - it assumes that reading data into process
A, that
process A wrote out is safe, regardless of the data.

--
Douglas Leeder

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Langsdorf, Mark: "RE: Warning in during hotplug on 2.6.27-rc2-git5"
Previous message: Eric Paris: "Re: [malware-list] scanner interface proposal was: [TALPA]Intro to a linux interface for on access scanning"
In reply to: Peter Dolding: "Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]