lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20080816151714.GA8422@mit.edu>
Date:	Sat, 16 Aug 2008 11:17:14 -0400
From:	Theodore Tso <tytso@....edu>
To:	Peter Dolding <oiaohm@...il.com>
Cc:	Arjan van de Ven <arjan@...radead.org>, david@...g.hm,
	rmeijer@...all.nl, Alan Cox <alan@...rguk.ukuu.org.uk>,
	capibara@...all.nl, Eric Paris <eparis@...hat.com>,
	Rik van Riel <riel@...hat.com>, davecb@....com,
	linux-security-module@...r.kernel.org,
	Adrian Bunk <bunk@...nel.org>,
	Mihai Don??u <mdontu@...defender.com>,
	linux-kernel@...r.kernel.org, malware-list@...ts.printk.net,
	Pavel Machek <pavel@...e.cz>
Subject: Re: [malware-list] [RFC 0/5] [TALPA] Intro to alinuxinterfaceforon
	access scanning

On Sat, Aug 16, 2008 at 09:38:30PM +1000, Peter Dolding wrote:
> 
> UDF undelete and unhide options and ISO showassoc  makes more files
> appear on those formats.  UDF and ISO hidden files are one of the
> nasties.  AV scans the disk calls it clean.  Remount it with the other
> options enabled nice little bit of magic hidden infected files could
> turn up.   Black holed.
> 
> What is the worst bit about this knowing the luck of this world.
> Some people will mount the disks/partitions with the option that
> displays the virus with a OS without a anti-virus because another
> computer said the disk was clean.

You have this problem anyway, given that AV database updates are
coming every few hours; so if you scan the disk at noon, and an AV
update comes at 1pm it may be that there were malware that wasn't
detected by the noon DB, but will be detected by the 1pm DB.

And for non read-only filesystems (i.e., anything other than UDF and
ISO), anytime the filesystem is unmounted, the OS is going to have to
assume that it might have been modified by some other system before it
was remounted, so realistically you have to rescan after remounting
anyway, regardless of whether different mount options were in use.

So I draw a very different set of conclusions than yours given your
obervations of all of the ways that an AV scanner might miss certain
viruses, due to things like alternate streams that might not be
visible at the time, snapshotting filesystems where the AV scanner
might not know how to access past snapshots, and hence miss malware. 

I don't believe that this means we have to cram all possible
filesystem semantics into the core VFS just for the benefit of AV
scanners.  I believe this shows the ultimate fallacy that AV scanners
can be foolproof.  It will catch some stuff, but it will never be
foolproof.  The real right answer to malware are things like not
encouraging users to run with the equivalent of Windows Administrator
privileges all the time (or training them to say, "Yeah, Yeah" every
time the Annoying Vista UAC dialog box comes up and clicking "ok"),
and using mail user agents that don't auto-run contents as soon as you
open a mail message in the name of "the user wants functionality, and
we're going to let them have it" attitude of Microsoft.

      	       	   	     	 	     		- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ