Re: [malware-list] TALPA - a threat model? well sorta.

From: Helge Hafting
Date: Mon Aug 18 2008 - 06:09:36 EST

Next message: KOSAKI Motohiro: "Re: No, really, stop trying to delete slab until you've finished making slub perform as well"
Previous message: Mel Gorman: "Re: [PATCH] mm: mminit_loglevel cannot be __meminitdata anymore"
In reply to: Helge Hafting: "Re: [malware-list] TALPA - a threat model? well sorta."
Next in thread: Peter Zijlstra: "Re: [malware-list] TALPA - a threat model? well sorta."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Press, Jonathan wrote:

-----Original Message-----
From: Theodore Tso [mailto:tytso@xxxxxxx]
Sent: Friday, August 15, 2008 1:05 PM
To: douglas.leeder@xxxxxxxxxx
Cc: Press, Jonathan; alan@xxxxxxxxxxxxxxxxxxx; andi@xxxxxxxxxxxxxx;

Arjan van de

Ven; hch@xxxxxxxxxxxxx; Helge Hafting; linux-kernel@xxxxxxxxxxxxxxx;

malware-

list@xxxxxxxxxxxxxxxx; Peter Zijlstra; viro@xxxxxxxxxxxxxxxxxx
Subject: Re: [malware-list] TALPA - a threat model? well sorta.

Not to mention removable media - it might be old hat, but

infected/malware

files can come in on floppies, CDs or USB flash discs careless left

on the

pavement outside an office.

That's not a problem given the scanning model proposed by Eric; when
you insert removable media, it will get scanned when it is first
accessed.

That is exactly the idea. However, the context of this particular
thread was the following statement by Helge Hafting:

It seems to me that this "scan on file open" business is the
wrong way to do things - because it reduces performance.

If you scan on file open, then your security sw is too late and getting in the way.

We were just pointing out that this is not a good argument in practical
terms AGAINST scanning on open. In fact, your reply completely
reinforces that point.

Scanning on open should be a last resort. Scan in advance when you can.
Of course, removable media cannot be scanned until it is inserted and mounted,
that is obvious. The scanning can start as soon as the filesystem is mounted though,
there is no reason to wait until users try to access something.

A CD inserted into a CD-server may not necessarily be needed immediately, so
scanning in advance will help here too. The user inserting a CD in a home
computer may start to use stuff right away, or perhaps he spends
some time reading the docs before a complicated install. Sill room for some
scanning in advance, which also may end up with the nice effect of caching the CD.

Helge Hafting

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: KOSAKI Motohiro: "Re: No, really, stop trying to delete slab until you've finished making slub perform as well"
Previous message: Mel Gorman: "Re: [PATCH] mm: mminit_loglevel cannot be __meminitdata anymore"
In reply to: Helge Hafting: "Re: [malware-list] TALPA - a threat model? well sorta."
Next in thread: Peter Zijlstra: "Re: [malware-list] TALPA - a threat model? well sorta."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]