Propriatory Anti-virus worse then Viruses.

Posted Oct 24, 2006 18:17 UTC (Tue) by orospakr (guest, #40684)
In reply to: Propriatory Anti-virus worse then Viruses. by drag
Parent article: Critical Linux security API is still a kludge (Inquirer)

Actually, it wouldn't be quite the same thing, because I think the special capability that the AV vendors on Windows get is blocking the application while the AV scans the file. If the file turns out to be malicious, it would simply cause the read operation to fail.

An inotify-based AV scanner would introduce a race condition. The AV would pick up the virus, sure, but if the file were executed (or perhaps loaded into a vulnerable user application with a buffer overflow or similar) in the meantime, it would already be too late. In the case of a write-based inotify AV scanner, the file might get executed before the AV scanner checking the written file had completed its task.

That said, the REAL solution here is to simply *not run untrusted code* on your computer, unless it's done in a contained jail/vm/emulator environment.

Untrusted data files (perhaps evil word processing documents with macro viruses, buffer overflow exploits, etc.) should be scanned with the AV tool as they come in via the channel from the outside world *before* they touch any other trusted system components.