[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20080818155925.DC73A376469@pmx1.sophos.com>
Date: Mon, 18 Aug 2008 16:58:23 +0100
From: tvrtko.ursulin@...hos.com
To: Alan Cox <alan@...rguk.ukuu.org.uk>
Cc: Arjan van de Ven <arjan@...radead.org>,
Adrian Bunk <bunk@...nel.org>, capibara@...all.nl,
Casey Schaufler <casey@...aufler-ca.com>, davecb@....com,
david@...g.hm, linux-kernel <linux-kernel@...r.kernel.org>,
linux-security-module@...r.kernel.org,
malware-list@...ts.printk.net,
malware-list-bounces@...sg.printk.net,
Mihai Don??u <mdontu@...defender.com>,
Peter Dolding <oiaohm@...il.com>, Pavel Machek <pavel@...e.cz>,
rmeijer@...all.nl, Theodore Tso <tytso@....edu>
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux
interface for on access scanning
Alan Cox <alan@...rguk.ukuu.org.uk> wrote on 18/08/2008 16:31:48:
> > Huh? I was never advocating re-scan after each modification and I even
> > explicitly said it does not make sense for AV not only for performance
but
> > because it will be useless most of the time. I thought sending out
> > modified notification on close makes sense because it is a natural
point,
> > unless someone is trying to subvert which is out of scope. Other have
> > suggested time delay and lumping up.
>
> You need a bit more than close I imagine, otherwise I can simply keep
the
> file open forever. There are lots of cases where that would be natural
> behaviour - eg if I was to attack some kind of web forum and insert a
> windows worm into the forum which was database backed the file would
> probably never be closed. That seems to be one of the more common attack
> vectors nowdays.
Yes, I agree that modification notifications are needed in some cases.
> > Also, just to double-check, you don't think AV scanning would read the
> > whole file on every write?
>
> So you need the system to accumulate some kind of complete in memory set
> of 'dirty' range lists on all I/O ? That is going to have pretty bad
> performance impacts and serialization.
No, I was just saying scanning is pretty smart, it's not some brute force
method of scan all data that is there. It has a file type detection and
what and how to scan is determined by that. If a file does not resemble
any file type I don't think it gets scanned. For example take couple of
gigabytes of zeros and try to scan that with some products. I don't think
they will try to read the whole file.
--
Tvrtko A. Ursulin
Senior Software Engineer, Sophos
"Views and opinions expressed in this email are strictly those of the
author.
The contents has not been reviewed or approved by Sophos."
Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.
Company Reg No 2096520. VAT Reg No GB 348 3873 20.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists