| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 19 Aug 2008 09:09:50 +0100 From: douglas.leeder@...hos.com To: "Peter Dolding" <oiaohm@...il.com> Cc: linux-kernel <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org, malware-list@...ts.printk.net Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning malware-list-bounces@...sg.printk.net wrote on 2008-08-19 02:15:49: > You will see latter where what you just said fails and its issue is > preventable too downloader with build in previewer. > > Funny enough solution to this is fairly simple. But does require > looking at a white list methods and LSM. > > Two major ways. White list format check method tells you that file > is not complete enough so black list scanning is not required yet. Ok > lighter than running 5000 black list signatures over it each time a > new block gets added. You seem to have some very funny ideas about what white-listing and black-listing scanners do. Checking filetypes and checking for complete/non-corrupt files is something black-listing scanners do. Where-as whitelisting: "An emerging approach in combating viruses and malware is to whitelist software which is considered safe to run, blocking all others" While ensure media files are complete could be done by a scanner that also does white-listing, I don't think it's a core part. > Dealing with bittorrent clients with built in preview is a pain in the > you know what. Since are they reading the file to send to someone > else are they reading the file to display in there internal viewer or > do they take straight from there download buffer to internal view. > Even worse lots of bittorrent streams are encrypted and cannot be > scanned while network packets. So second solution required a LSM > around the downloader preventing it in case of breach being able to go > anywhere in the system. LSM only allows access to files that the > downloader has downloaded by other applications with more rights when > its pasted White list and needed black list scanning. So? We not talking about throwing away LSM, or replacing it in any way. This discussion is about an additional scanning path, for files, for any kind of content-based scanning. > > Getting this to work without using white list of known format method > and LSM is basically imposable because a black list is going to take > far to much cpu time scanning incomplete files. So? > Lot of windows anti-virus people are way too focused on black list. > White list might annoy you from time to time but it can also grant > features that users may not want to give up. The thing is Windows has had built-in white-listing for a long time, and yet there is still a market for AV scanners, this suggests people don't like white-listing. Also consider all of the problems and criticism Vista's UAC has had. And UAC is only white-listing privileged operations. -- Douglas Leeder Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom. Company Reg No 2096520. VAT Reg No GB 348 3873 20. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists