Re: [malware-list] scanner interface proposal was: [TALPA] Intro toa linux interface for on access scanning

From: david
Date: Mon Aug 18 2008 - 13:07:52 EST

Next message: Ivan Warren: "Re: [PATCH] S390 : Set SLI on PSF/PRSSD on Dasd ECKD initialisation"
Previous message: Mathieu Desnoyers: "Re: ftrace introduces instability into kernel 2.6.27(-rc2,-rc3)"
In reply to: Eric Paris: "Re: [malware-list] scanner interface proposalwas: [TALPA] Intro to a linux interface for on access scanning"
Next in thread: tvrtko . ursulin: "Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linuxinterface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 18 Aug 2008, tvrtko.ursulin@xxxxxxxxxx wrote:

Theodore Tso <tytso@xxxxxxx> wrote on 18/08/2008 15:25:11:

On Mon, Aug 18, 2008 at 02:15:24PM +0100, tvrtko.ursulin@xxxxxxxxxx
wrote:
Then there is still a question of who allows some binary to declare
itself
exempt. If that decision was a mistake, or it gets compromised
security
will be off. A very powerful mechanism which must not be easily
accessible. With a good cache your worries go away even without a

scheme
like this.

I have one word for you --- bittorrent. If you are downloading a very
large torrent (say approximately a gigabyte), and it contains many
pdf's that are say a few megabytes a piece, and things are coming in
tribbles, having either a indexing scanner or an AV scanner wake up
and rescan the file from scratch each time a tiny piece of the pdf
comes in is going to eat your machine alive....

Huh? I was never advocating re-scan after each modification and I even
explicitly said it does not make sense for AV not only for performance but
because it will be useless most of the time. I thought sending out
modified notification on close makes sense because it is a natural point,
unless someone is trying to subvert which is out of scope. Other have
suggested time delay and lumping up.

Also, just to double-check, you don't think AV scanning would read the
whole file on every write?

if it doesn't read the entire file and only reads the parts that change, out-of-order writes (which bittorrent does a _lot_ of) can assemble a virus from pieces and the scanner will never see it.

as for Ted's issue, the scanner(s) would get notified when the file was dirtied, they would then get notified if something scanned the file and it was marked dirty again after that. If nothing got around to scanning the file then all the following writes would not send any notification becouse the file would already be dirty.

David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ivan Warren: "Re: [PATCH] S390 : Set SLI on PSF/PRSSD on Dasd ECKD initialisation"
Previous message: Mathieu Desnoyers: "Re: ftrace introduces instability into kernel 2.6.27(-rc2,-rc3)"
In reply to: Eric Paris: "Re: [malware-list] scanner interface proposalwas: [TALPA] Intro to a linux interface for on access scanning"
Next in thread: tvrtko . ursulin: "Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linuxinterface for on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]