| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <48A97C42.4040103@sun.com> Date: Mon, 18 Aug 2008 09:42:26 -0400 From: David Collier-Brown <davecb@....com> To: Alan Cox <alan@...rguk.ukuu.org.uk> Cc: tvrtko.ursulin@...hos.com, Theodore Tso <tytso@....edu>, Arjan van de Ven <arjan@...radead.org>, Adrian Bunk <bunk@...nel.org>, capibara@...all.nl, Casey Schaufler <casey@...aufler-ca.com>, david@...g.hm, linux-kernel <linux-kernel@...r.kernel.org>, linux-security-module@...r.kernel.org, malware-list@...ts.printk.net, malware-list-bounces@...sg.printk.net, Mihai Don??u <mdontu@...defender.com>, Peter Dolding <oiaohm@...il.com>, Pavel Machek <pavel@...e.cz>, rmeijer@...all.nl Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning tvrtko.ursulin wrote: >>Huh? I was never advocating re-scan after each modification and I even >>explicitly said it does not make sense for AV not only for performance but >>because it will be useless most of the time. I thought sending out >>modified notification on close makes sense because it is a natural point, >>unless someone is trying to subvert which is out of scope. Other have >>suggested time delay and lumping up. Alan Cox wrote: > You need a bit more than close I imagine, otherwise I can simply keep the > file open forever. There are lots of cases where that would be natural > behaviour - eg if I was to attack some kind of web forum and insert a > windows worm into the forum which was database backed the file would > probably never be closed. That seems to be one of the more common attack > vectors nowdays. I suspect we're saying "on close" when what's really meant is "opened for write". In the latter case, the notification would tell the user-space program to watch for changes, possibly by something as simple as doing a stat now and another when it gets around to deciding if it should scan the file. I see lots of room for user-space alternatives for change detection, depending on how much state it keeps. Rsync-like, perhaps? --dave -- David Collier-Brown | Always do right. This will gratify Sun Microsystems, Toronto | some people and astonish the rest davecb@....com | -- Mark Twain cell: (647) 833-9377, bridge: (877) 385-4099 code: 506 9191# -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists