LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Propriatory Anti-virus worse then Viruses.

Propriatory Anti-virus worse then Viruses.

Posted Oct 24, 2006 3:11 UTC (Tue) by drag (subscriber, #31333)
Parent article: Critical Linux security API is still a kludge (Inquirer)

Ok... Doesn't your system already have a API for responding to file system events?

So setup a daemon to monitor inotify events on user-writable directories and run clamav (or favorite alternative) on files that got written to. That should be all you'd ever need.

PROBLEM SOLVED.

That's it. What else would you need?

Set it up as a service for KDE or Gnome. I am sure that the Beagle guys would be able to integrate it so that files get scanned when they get indexed. Something like that to make it efficient as possible, but the basic concept is very simple.

Oh and that isn't good enough and root gets infected then your screwed anyways.

Also somebody needs to point out to the author of that article that propriatory antivirus software has openned up more holes by running this complex crap as root then any thing remotely virus-like.

(Log in to post comments)

Propriatory Anti-virus worse then Viruses.

Posted Oct 24, 2006 18:17 UTC (Tue) by orospakr (guest, #40684) [Link]

Actually, it wouldn't be quite the same thing, because I think the special capability that the AV vendors on Windows get is blocking the application while the AV scans the file. If the file turns out to be malicious, it would simply cause the read operation to fail.

An inotify-based AV scanner would introduce a race condition. The AV would pick up the virus, sure, but if the file were executed (or perhaps loaded into a vulnerable user application with a buffer overflow or similar) in the meantime, it would already be too late. In the case of a write-based inotify AV scanner, the file might get executed before the AV scanner checking the written file had completed its task.

That said, the REAL solution here is to simply *not run untrusted code* on your computer, unless it's done in a contained jail/vm/emulator environment.

Untrusted data files (perhaps evil word processing documents with macro viruses, buffer overflow exploits, etc.) should be scanned with the AV tool as they come in via the channel from the outside world *before* they touch any other trusted system components.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds