| |||||||||||||
Kernel-based malware scanningKernel-based malware scanningPosted Dec 6, 2007 8:45 UTC (Thu) by rvfh (subscriber, #31018)Parent article: Kernel-based malware scanning
What I'd really like is a fs with checksums. Once you know the checksum of the 'clean' file, just check that of the one you're opening. That would also help my backup, subversion, scons... which use checksums to detect file modification. Another way is to provide a user-space open() which loads the data, checks it, then makes it available to the original caller I suppose.
(Log in to post comments)
Kernel-based malware scanning Posted Dec 6, 2007 10:28 UTC (Thu) by james (subscriber, #1325) [Link] How does that work with mmap? Any time a process writes to memory backed by the file, the checksum has to be recomputed?
Kernel-based malware scanning Posted Dec 6, 2007 14:47 UTC (Thu) by nix (subscriber, #2304) [Link] It doesn't work if checksummed on a file-by-file basis: if the file is large enough you can DoS-attack the system just by changing a single byte every so often (oops, the whole file has to be reread...) Checksummed blocks *do* work, and are useful to detect a variety of disk-incurred problems like writes that accidentally landed in the wrong place and so on. But this doesn't help to detect malware because malware is using exactly the same syscalls as non-malware. If used for that purpose it becomes like the UK ID card, where what they really want is an `I am not a terrorist' card... What Talpa is doing, instead, is using what amounts to a huge mugshot database of known bad guys. Unfortunately for them there's no right time to check the data written against the mugshot, and whatever method they use the next generation of malware will specifically evade...
|
|||||||||||||