| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20080805112747.2c3c4650@infradead.org> Date: Tue, 5 Aug 2008 11:27:47 -0700 From: Arjan van de Ven <arjan@...radead.org> To: "Press, Jonathan" <Jonathan.Press@...com> Cc: "Eric Paris" <eparis@...hat.com>, "Greg KH" <greg@...ah.com>, <linux-kernel@...r.kernel.org>, <malware-list@...ts.printk.net>, <linux-security-module@...r.kernel.org> Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning On Tue, 5 Aug 2008 14:04:26 -0400 "Press, Jonathan" <Jonathan.Press@...com> wrote: > > However, I want to point out that scanning on close is still an > integral part of AV protection, even if intercepting opens and execs > theoretically catches everything. but close is... very limited in value. Open is a discrete event traditionally associated withh permission checks. Close... not so. (And if you mmap memory, you can then close the file and still write to it via the mmap) Lets ask it differently: what will you do if you find something nasty? You can't fail the close... so why block for it? And if you don't block for it... all you would need is an asynchronous notification... something like... inotify -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists