Re: [malware-list] scanner interface proposal was: [TALPA] Intro to alinux interface for on access scanning

[David Collier-Brown]

tvrtko.ursulin wrote:
> > Huh? I was never advocating re-scan after each modification and I even 
> > explicitly said it does not make sense for AV not only for performance but 
> > because it will be useless most of the time. I thought sending out 
> > modified notification on close makes sense because it is a natural point, 
> > unless someone is trying to subvert which is out of scope. Other have 
> > suggested time delay and lumping up.

Alan Cox wrote: 
> You need a bit more than close I imagine, otherwise I can simply keep the
> file open forever. There are lots of cases where that would be natural
> behaviour - eg if I was to attack some kind of web forum and insert a
> windows worm into the forum which was database backed the file would
> probably never be closed. That seems to be one of the more common attack
> vectors nowdays.

 I suspect we're saying "on close" when what's really meant is
"opened for write". In the latter case, the notification would tell
the user-space program to watch for changes, possibly by something as
simple as doing a stat now and another when it gets around to 
deciding if it should scan the file. I see lots of room for
user-space alternatives for change detection, depending on how much
state it keeps. Rsync-like, perhaps?

--dave
--
David Collier-Brown            | Always do right. This will gratify
Sun Microsystems, Toronto      | some people and astonish the rest
davecb@xxxxxxx                 |                      -- Mark Twain
cell: (647) 833-9377, bridge: (877) 385-4099 code: 506 9191#
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/