Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for onaccess scanning
From: tvrtko . ursulin
Date: Wed Aug 06 2008 - 06:16:34 EST
J. Bruce Fields wrote on 05/08/2008 23:55:24:
> On Mon, Aug 04, 2008 at 05:00:16PM -0400, Eric Paris wrote:
> > Please contact me privately or (preferably the list) for questions,
> > comments, discussions, flames, names, or anything. I'll do complete
> > rewrites of the patches if someone tells me how they don't meet their
> > needs or how they can be done better. I'm here to try to bridge the
> > needs (and wants) of the anti-malware vendors with the technical
> > realities of the kernel. So everyone feel free to throw in your two
> > cents and I'll try to reconcile it all. These 5 patches are part 1.
> > They give us a working able solution.
> >
> > >From my point of view patches forthcoming and mentioned below should
> > help with performance for those who actually have userspace scanners
but
> > also could presents be implemented using this framework.
> >
> >
> > Background
> > ++++++++++
> > There is a consensus in the security industry that protecting against
> > malicious files (viruses, root kits, spyware, ad-ware, ...) by the way
> > of so-called on-access scanning is usable and reasonable approach.
>
> Can you point to any helpful explanations of that concensus?
I can't, but everyone is doing it so that is at least an implied
consensus.
> Off-hand it's surprising. (A defense that depends on cataloging every
> possible individual attack sounds difficult!)
Maybe it is not how you imagine it? It is not a database of every possible
individual attack but there are more intelligent methods. But I am not an
expert in this field to explain it better..
Tvrtko
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/