[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20080815131820.053BF31679D@pmx1.sophos.com>
Date: Fri, 15 Aug 2008 14:18:12 +0100
From: douglas.leeder@...hos.com
To: "Press, Jonathan" <Jonathan.Press@...com>
Cc: alan@...rguk.ukuu.org.uk, andi@...stfloor.org,
Arjan van de Ven <arjan@...radead.org>, hch@...radead.org,
"Helge Hafting" <helge.hafting@...el.hist.no>,
linux-kernel@...r.kernel.org, malware-list@...ts.printk.net,
"Peter Zijlstra" <peterz@...radead.org>, viro@...IV.linux.org.uk
Subject: Re: [malware-list] TALPA - a threat model? well sorta.
Jon Press wrote on 2008-08-15 14:10:21:
> > -----Original Message-----
> > From: malware-list-bounces@...sg.printk.net [mailto:malware-list-
> > bounces@...sg.printk.net] On Behalf Of Peter Zijlstra
> > Sent: Friday, August 15, 2008 6:37 AM
> > To: Helge Hafting
> > Cc: linux-kernel@...r.kernel.org; malware-list@...ts.printk.net;
> hch@...radead.org;
> > andi@...stfloor.org; viro@...IV.linux.org.uk;
> alan@...rguk.ukuu.org.uk; Arjan van
> > de Ven
> > Subject: Re: [malware-list] TALPA - a threat model? well sorta.
> >
> > On Fri, 2008-08-15 at 12:07 +0200, Helge Hafting wrote:
> > > It seems to me that this "scan on file open" business is the
> > > wrong way to do things - because it reduces performance.
> > >
> > > If you scan on file open, then your security sw is too late and
> > > getting in the way.
>
> The problem is that you have to account for the cases where the malware
> made it onto the system even if you were trying to catch it ahead of
> time. For example:
>
> - Administrator turns off or reduces AV protection for some reason for
> some period of time. It happens all the time.
>
> - New infection makes it onto the machine before the signatures have
> caught up with it. This also happens. There is an ongoing PR race
> among AV vendors about who was faster on the draw to get out signatures
> to detect some new malware. The fact that this race exists reflects
> that reality that there is some window during which new malware will
> make it onto some number of machines before the scanners catch up.
>
Not to mention removable media - it might be old hat, but infected/malware
files can come in on floppies, CDs or USB flash discs careless left on the
pavement outside an office.
--
Douglas Leeder
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists