[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.1.10.0808150924260.15109@asgard.lang.hm>
Date: Fri, 15 Aug 2008 09:25:25 -0700 (PDT)
From: david@...g.hm
To: "Press, Jonathan" <Jonathan.Press@...com>
cc: Peter Zijlstra <peterz@...radead.org>,
Helge Hafting <helge.hafting@...el.hist.no>,
linux-kernel@...r.kernel.org, malware-list@...ts.printk.net,
hch@...radead.org, andi@...stfloor.org, viro@...IV.linux.org.uk,
alan@...rguk.ukuu.org.uk, Arjan van de Ven <arjan@...radead.org>
Subject: RE: [malware-list] TALPA - a threat model? well sorta.
On Fri, 15 Aug 2008, Press, Jonathan wrote:
>> -----Original Message-----
>> From: malware-list-bounces@...sg.printk.net [mailto:malware-list-
>> bounces@...sg.printk.net] On Behalf Of Peter Zijlstra
>> Sent: Friday, August 15, 2008 6:37 AM
>> To: Helge Hafting
>> Cc: linux-kernel@...r.kernel.org; malware-list@...ts.printk.net;
> hch@...radead.org;
>> andi@...stfloor.org; viro@...IV.linux.org.uk;
> alan@...rguk.ukuu.org.uk; Arjan van
>> de Ven
>> Subject: Re: [malware-list] TALPA - a threat model? well sorta.
>>
>> On Fri, 2008-08-15 at 12:07 +0200, Helge Hafting wrote:
>>> It seems to me that this "scan on file open" business is the
>>> wrong way to do things - because it reduces performance.
>>>
>>> If you scan on file open, then your security sw is too late and
>>> getting in the way.
>
> The problem is that you have to account for the cases where the malware
> made it onto the system even if you were trying to catch it ahead of
> time. For example:
>
> - Administrator turns off or reduces AV protection for some reason for
> some period of time. It happens all the time.
according to the threat model actions of the administrator do not matter.
David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists