Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon accessscanning

From: douglas . leeder
Date: Mon Aug 18 2008 - 06:54:26 EST

Next message: Nick Piggin: "Re: SCHED_FIFO and SCHED_RR broken by cfs"
Previous message: Rob Meijer: "Re: scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning"
In reply to: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Next in thread: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

malware-list-bounces@xxxxxxxxxxxxxxxx wrote on 2008-08-18 01:11:24:

> In answer to the small enough set of files idea. The simple issue is
> that one time cost of black list scanning gets longer and longer and
> longer as the black list gets longer and longer and longer. Sooner
> or latter its going to be longer than the amount of time people are
> prepared to wait for a file to be approved and longer than the time
> taken to white list scan the file by a large margin. It is already
> longer by a large margin to white list scanning. CPU sizes not
> expanding as fast on Linux kind brings the black list o heck problem
> sooner. Lot of anti-virus black lists are embeding white lists
> methods so they can operate now inside the time window. The wall is
> coming and its simply not avoidable all they are currently doing is
> just stopping themselves from going splat into it. White list methods
> will have to become more dominate one day there is no other path
> forward for scanning content.

The problem with white-lists is who gets to decide what's on them:

a) The end-user: Easy to get around - a social engineering attack.
The problem is if you make all the good applications the
user downloads appear identical to any random malware they
download, the end-users will treat them the same.

b) The network administrator: Often doesn't exist (e.g. home users), but
even when they do exist, they are often too over-worked to
handle a white-listing solution. For example Windows provides
white-listing in policies (AFAIK), but still there is a market
for AV software.
The admin probably ends up authorizing anything the end-users
want.
(Thus leading to the same problems as a)...)

c) The White-listing software company: Now has to maintain a perfect
database
of known-good software, without letting in any malware.
Also problems with edge-cases such as adware.
Also needs some way of handling private software, and
self-compiled software.
(which probably leads to a) or b)...)

d) Third-party: All the problems of c) with more trust issues, plus
iphone-ish lock-in problems.

The other problem that I can see is that white-list scanners have to be
much more exact on the matching (either checksums or signatures), as the
malware authors will be trying to look-like authorized software.

black-list scanners can afford heuristic detection, because good-software
authors
aren't trying to look like malware.

--
Douglas Leeder

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Nick Piggin: "Re: SCHED_FIFO and SCHED_RR broken by cfs"
Previous message: Rob Meijer: "Re: scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning"
In reply to: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Next in thread: Peter Dolding: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]