lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20080818153212.6A6FD33687F@pmx1.sophos.com>
Date:	Mon, 18 Aug 2008 16:31:09 +0100
From:	tvrtko.ursulin@...hos.com
To:	Theodore Tso <tytso@....edu>
Cc:	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Arjan van de Ven <arjan@...radead.org>,
	Adrian Bunk <bunk@...nel.org>, capibara@...all.nl,
	Casey Schaufler <casey@...aufler-ca.com>, davecb@....com,
	david@...g.hm, linux-kernel <linux-kernel@...r.kernel.org>,
	linux-security-module@...r.kernel.org,
	malware-list@...ts.printk.net,
	malware-list-bounces@...sg.printk.net,
	Mihai Don??u <mdontu@...defender.com>,
	Peter Dolding <oiaohm@...il.com>, Pavel Machek <pavel@...e.cz>,
	rmeijer@...all.nl
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro	to a linux
 interface for on access scanning

Theodore Tso <tytso@....edu> wrote on 18/08/2008 15:25:11:

> On Mon, Aug 18, 2008 at 02:15:24PM +0100, tvrtko.ursulin@...hos.com 
wrote:
> > Then there is still a question of who allows some binary to declare 
itself 
> > exempt. If that decision was a mistake, or it gets compromised 
security 
> > will be off. A very powerful mechanism which must not be easily 
> > accessible.  With a good cache your worries go away even without a 
scheme 
> > like this.
> 
> I have one word for you --- bittorrent.  If you are downloading a very
> large torrent (say approximately a gigabyte), and it contains many
> pdf's that are say a few megabytes a piece, and things are coming in
> tribbles, having either a indexing scanner or an AV scanner wake up
> and rescan the file from scratch each time a tiny piece of the pdf
> comes in is going to eat your machine alive....

Huh? I was never advocating re-scan after each modification and I even 
explicitly said it does not make sense for AV not only for performance but 
because it will be useless most of the time. I thought sending out 
modified notification on close makes sense because it is a natural point, 
unless someone is trying to subvert which is out of scope. Other have 
suggested time delay and lumping up.

Also, just to double-check, you don't think AV scanning would read the 
whole file on every write?

--
Tvrtko A. Ursulin
Senior Software Engineer, Sophos

"Views and opinions expressed in this email are strictly those of the 
author.
 The contents has not been reviewed or approved by Sophos."
 

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ