Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
How does that work with mmap? Any time a process writes to memory backed by the file, the
checksum has to be recomputed?
Kernel-based malware scanning
Posted Dec 6, 2007 14:47 UTC (Thu) by nix (subscriber, #2304)
It doesn't work if checksummed on a file-by-file basis: if the file is
large enough you can DoS-attack the system just by changing a single byte
every so often (oops, the whole file has to be reread...)
Checksummed blocks *do* work, and are useful to detect a variety of
disk-incurred problems like writes that accidentally landed in the wrong
place and so on. But this doesn't help to detect malware because malware
is using exactly the same syscalls as non-malware. If used for that
purpose it becomes like the UK ID card, where what they really want is an
`I am not a terrorist' card...
What Talpa is doing, instead, is using what amounts to a huge mugshot
database of known bad guys. Unfortunately for them there's no right time
to check the data written against the mugshot, and whatever method they
use the next generation of malware will specifically evade...
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds