| |||||||||||||
Kernel-based malware scanningKernel-based malware scanningPosted Dec 10, 2007 15:50 UTC (Mon) by jzbiciak (✭ supporter ✭, #5246)In reply to: Kernel-based malware scanning by i3839 Parent article: Kernel-based malware scanning
How about the statically linked emergency boot shell? Now every shell script is a "statically linked app." Also, someone could purposefully statically link an otherwise innocuous bit of code and use it as a conduit. That is, the "installation" procedure for some bit of malware might include an additional level of indirection. LD_PRELOAD could work for many things, but it strikes me as leaving too many holes, more than the "scan on open" approach does. (Now, if "scan on open" also made a temporary read-only copy for all readers/executers, a'la RCU, you might have something!)
(Log in to post comments)
Kernel-based malware scanning Posted Dec 10, 2007 17:52 UTC (Mon) by i3839 (guest, #31386) [Link] Why would a malicious app bother opening other malicious apps if it can do whatever it wants all ready? You're missing the point. The only purpose of the file scanning talked about here is to detect malicious software when it's installed/downloaded/saved on disk. When you have malicious software doing whatever it wants you've already lost. "Scan on open" isn't good enough to prevent malicious apps from writing other malicious files anyway. For more details read the lkml thread. Shell scripts aren't statically linked apps at all, it's just the shell running, in general a dynamically linked bash, so LD_PRELOAD will work for them fine. We're talking about damn virus scanners here, not a security framework (The former is mostly about detection, the latter mostly about damage mitigation). If you want your own brew of security then write an LSM module, or SELinux ruleset, but if you want to do something as simple as file scanning then just do it with a preloaded lib.
|
|||||||||||||