[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <alpine.DEB.1.10.0808142228450.12859@asgard.lang.hm>
Date: Thu, 14 Aug 2008 22:33:30 -0700 (PDT)
From: david@...g.hm
To: Eric Paris <eparis@...hat.com>
cc: Theodore Tso <tytso@....edu>, Rik van Riel <riel@...hat.com>,
davecb@....com, linux-security-module@...r.kernel.org,
Adrian Bunk <bunk@...nel.org>,
Mihai Don??u <mdontu@...defender.com>,
linux-kernel@...r.kernel.org, malware-list@...ts.printk.net,
Pavel Machek <pavel@...e.cz>,
Arjan van de Ven <arjan@...radead.org>
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon
access scanning
On Thu, 14 Aug 2008, david@...g.hm wrote:
> again, libmalware.so is not referring to any specific body of code, it's
> referring to the concept that the handling of open/mmap/read/etc and scanning
> is done via a userspace library rather then by the kernel. if everyone can
> agree on that concept then hashing out the details of _which_ library it gets
> put in is a smaller detail.
one reason to layer scanners is that you could have one that just checks
to see if the file was deployed from a OS package, if it was (and still
has the same hash as the package manager thinks it should have) it sets a
flag that other scanners could look for (if they see it they can skip
scanning the file)
David Lang
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists