lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 15 Aug 2008 14:18:12 +0100
From:	douglas.leeder@...hos.com
To:	"Press, Jonathan" <Jonathan.Press@...com>
Cc:	alan@...rguk.ukuu.org.uk, andi@...stfloor.org,
	Arjan van de Ven <arjan@...radead.org>, hch@...radead.org,
	"Helge Hafting" <helge.hafting@...el.hist.no>,
	linux-kernel@...r.kernel.org, malware-list@...ts.printk.net,
	"Peter Zijlstra" <peterz@...radead.org>, viro@...IV.linux.org.uk
Subject: Re: [malware-list] TALPA - a threat model?  well sorta.

Jon Press wrote on 2008-08-15 14:10:21:

> > -----Original Message-----
> > From: malware-list-bounces@...sg.printk.net [mailto:malware-list-
> > bounces@...sg.printk.net] On Behalf Of Peter Zijlstra
> > Sent: Friday, August 15, 2008 6:37 AM
> > To: Helge Hafting
> > Cc: linux-kernel@...r.kernel.org; malware-list@...ts.printk.net;
> hch@...radead.org;
> > andi@...stfloor.org; viro@...IV.linux.org.uk;
> alan@...rguk.ukuu.org.uk; Arjan van
> > de Ven
> > Subject: Re: [malware-list] TALPA - a threat model? well sorta.
> > 
> > On Fri, 2008-08-15 at 12:07 +0200, Helge Hafting wrote:
> > > It seems to me that this "scan on file open" business is the
> > > wrong way to do things - because it reduces performance.
> > >
> > > If you scan on file open, then your security sw is too late and
> > > getting in the way.
> 
> The problem is that you have to account for the cases where the malware
> made it onto the system even if you were trying to catch it ahead of
> time.  For example:
> 
> - Administrator turns off or reduces AV protection for some reason for
> some period of time.  It happens all the time.
> 
> - New infection makes it onto the machine before the signatures have
> caught up with it.  This also happens.  There is an ongoing PR race
> among AV vendors about who was faster on the draw to get out signatures
> to detect some new malware.  The fact that this race exists reflects
> that reality that there is some window during which new malware will
> make it onto some number of machines before the scanners catch up.
> 

Not to mention removable media - it might be old hat, but infected/malware
files can come in on floppies, CDs or USB flash discs careless left on the
pavement outside an office.

-- 
Douglas Leeder

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ