| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20080815132852.4060D376568@pmx1.sophos.com> Date: Fri, 15 Aug 2008 14:28:52 +0100 From: douglas.leeder@...hos.com To: unlisted-recipients:; (no To-header on input) Cc: linux-kernel@...r.kernel.org, linux-security-module@...r.kernel.org, malware-list@...ts.printk.net, malware-list-bounces@...sg.printk.net, Theodore Tso <tytso@....edu> Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforonaccess scanning malware-list-bounces@...sg.printk.net wrote on 2008-08-15 14:22:27: > malware-list-bounces@...sg.printk.net wrote on 2008-08-15 14:16:21: > > > On Fri, Aug 15, 2008 at 08:57:48AM -0400, Press, Jonathan wrote: > > > That may just be a question of terminology. If the bits are construed > > > not as clean/dirty/infected, but as "I care about this file" vs. "I > > > don't care about this file" then the rubber gloves come off. > > > > Sure, as long as we're very clear about the semantics of the bits. If > > the bits are not persistent, but which get dropped if the inode is > > every evicted from memory, and it's considered OK, or even desirable, > > to rescan the file when it is brought back into memory, that may be > > acceptable to the rubber gloves folks (make people go through lots > > superflous of security scans, even when they are transfering betewen > > flights --- security is always more important than passengers' > > convenience!), but perhaps not to other applications such as file > > indexers, who would view rescanning files that have already been > > scanned, and not have been modified, as a waste of time, battery, CPU > > and disk bandwidth, etc. > > > > As I understand it, the TALPA proposal had non-persistent > > clean/dirty/infected bits. > > > > - Ted > > Yes the current proposal has temporary markers in the in-memory > representation if inodes. > > This is a problem for current anti-malware scanning, as virus data updates > come every few hours > (at which point the entire clean/infected state has to be cleared), so the > loss after a reboot is > limited. Of course I mean't NOT a problem... -- Douglas Leeder Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United Kingdom. Company Reg No 2096520. VAT Reg No GB 348 3873 20. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists