|| ||Alan Cox <alan-AT-lxorguk.ukuu.org.uk>|
|| ||Greg KH <greg-AT-kroah.com>|
|| ||Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux
interfaceforon access scanning|
|| ||Tue, 5 Aug 2008 21:17:32 +0100|
|| ||"Press, Jonathan" <Jonathan.Press-AT-ca.com>,
Arjan van de Ven <arjan-AT-infradead.org>,
Eric Paris <eparis-AT-redhat.com>, linux-kernel-AT-vger.kernel.org,
> > However, I want to point out that scanning on close is still an integral
> > part of AV protection, even if intercepting opens and execs
> > theoretically catches everything.
> Great, then put a hook in glibc and catch all closes and then kick off
> your scanning.
deferred close via mmap
etc etc etc
You can't just armwave it into glibc, that doesn't hold water. You also
have shared state between processes (index on last close of a handle
shared by several threads or processes).
Same problem you have in the indexing business (which also wants the
close hook) - aside from all the practical issues that LD_PRELOAD tends
to turn up.
I'm not actually interested in the AV stuff, but content indexing I do
care about and we do need a way to get notification up to user space.
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to email@example.com
More majordomo info at http://vger.kernel.org/majordomo-info.html
to post comments)