lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20080815132227.6BF0431678F@pmx1.sophos.com>
Date:	Fri, 15 Aug 2008 14:22:27 +0100
From:	douglas.leeder@...hos.com
To:	Theodore Tso <tytso@....edu>
Cc:	linux-kernel@...r.kernel.org,
	linux-security-module@...r.kernel.org,
	malware-list@...ts.printk.net
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro	to	alinuxinterfaceforonaccess
 scanning

malware-list-bounces@...sg.printk.net wrote on 2008-08-15 14:16:21:

> On Fri, Aug 15, 2008 at 08:57:48AM -0400, Press, Jonathan wrote:
> > That may just be a question of terminology.  If the bits are construed
> > not as clean/dirty/infected, but as "I care about this file" vs. "I
> > don't care about this file" then the rubber gloves come off.
> 
> Sure, as long as we're very clear about the semantics of the bits.  If
> the bits are not persistent, but which get dropped if the inode is
> every evicted from memory, and it's considered OK, or even desirable,
> to rescan the file when it is brought back into memory, that may be
> acceptable to the rubber gloves folks (make people go through lots
> superflous of security scans, even when they are transfering betewen
> flights --- security is always more important than passengers'
> convenience!), but perhaps not to other applications such as file
> indexers, who would view rescanning files that have already been
> scanned, and not have been modified, as a waste of time, battery, CPU
> and disk bandwidth, etc.
> 
> As I understand it, the TALPA proposal had non-persistent
> clean/dirty/infected bits.
> 
>                   - Ted

Yes the current proposal has temporary markers in the in-memory 
representation if inodes.

This is a problem for current anti-malware scanning, as virus data updates 
come every few hours
(at which point the entire clean/infected state has to be cleared), so the 
loss after a reboot is 
limited.

-- 
Douglas Leeder

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ