LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Kernel-based malware scanning

Kernel-based malware scanning

Posted Dec 10, 2007 17:52 UTC (Mon) by i3839 (subscriber, #31386)
In reply to: Kernel-based malware scanning by jzbiciak
Parent article: Kernel-based malware scanning 

Why would a malicious app bother opening other malicious apps if it can do whatever it wants
all ready? You're missing the point. The only purpose of the file scanning talked about here
is to detect malicious software when it's installed/downloaded/saved on disk. When you have
malicious software doing whatever it wants you've already lost. "Scan on open" isn't good
enough to prevent malicious apps from writing other malicious files anyway. For more details
read the lkml thread.

Shell scripts aren't statically linked apps at all, it's just the shell running, in general a
dynamically linked bash, so LD_PRELOAD will work for them fine.

We're talking about damn virus scanners here, not a security framework (The former is mostly
about detection, the latter mostly about damage mitigation). If you want your own brew of
security then write an LSM module, or SELinux ruleset, but if you want to do something as
simple as file scanning then just do it with a preloaded lib.

(Log in to post comments)

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds