User: Password:
Subscribe / Log in / New account

Kernel-based malware scanning

Kernel-based malware scanning

Posted Dec 6, 2007 13:29 UTC (Thu) by NRArnot (subscriber, #3033)
Parent article: Kernel-based malware scanning

If they want a filestore with an integrated scanner running in userspace, why don't they
implement it with FUSE (and an ordinary filestore as the data store)?

(Log in to post comments)

Kernel-based malware scanning

Posted Dec 7, 2007 13:56 UTC (Fri) by i3839 (guest, #31386) [Link]

Or better, just use LD_PRELOAD to run the scanner when wanted, all in user space.

Kernel-based malware scanning

Posted Dec 10, 2007 8:59 UTC (Mon) by jzbiciak (subscriber, #5246) [Link]

How's that work out for statically linked apps?

Kernel-based malware scanning

Posted Dec 10, 2007 12:46 UTC (Mon) by i3839 (guest, #31386) [Link]

What statically linked apps?

And more precisely, which ones do add new files to your system that you want to check?
Remember that you trust the current apps, just not new files that are added by them.

It won't work for those of course, but the current approach doesn't always work either. As a
last resort you can always use inotify or whatever to scan the files generated by static apps,
and that doesn't have to be horribly slow either if you have a clue where the files are added.
But static apps are rare, so I don't see the problem.

Kernel-based malware scanning

Posted Dec 10, 2007 15:50 UTC (Mon) by jzbiciak (subscriber, #5246) [Link]

How about the statically linked emergency boot shell?  Now every shell script is a "statically
linked app."  Also, someone could purposefully statically link an otherwise innocuous bit of
code and use it as a conduit.  That is, the "installation" procedure for some bit of malware
might include an additional level of indirection.

LD_PRELOAD could work for many things, but it strikes me as leaving too many holes, more than
the "scan on open" approach does.  (Now, if "scan on open" also made a temporary read-only
copy for all readers/executers, a'la RCU, you might have something!)

Kernel-based malware scanning

Posted Dec 10, 2007 17:52 UTC (Mon) by i3839 (guest, #31386) [Link]

Why would a malicious app bother opening other malicious apps if it can do whatever it wants
all ready? You're missing the point. The only purpose of the file scanning talked about here
is to detect malicious software when it's installed/downloaded/saved on disk. When you have
malicious software doing whatever it wants you've already lost. "Scan on open" isn't good
enough to prevent malicious apps from writing other malicious files anyway. For more details
read the lkml thread.

Shell scripts aren't statically linked apps at all, it's just the shell running, in general a
dynamically linked bash, so LD_PRELOAD will work for them fine.

We're talking about damn virus scanners here, not a security framework (The former is mostly
about detection, the latter mostly about damage mitigation). If you want your own brew of
security then write an LSM module, or SELinux ruleset, but if you want to do something as
simple as file scanning then just do it with a preloaded lib.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds