User: Password:
Subscribe / Log in / New account

Kernel-based malware scanning

Kernel-based malware scanning

Posted Dec 6, 2007 14:47 UTC (Thu) by nix (subscriber, #2304)
In reply to: Kernel-based malware scanning by james
Parent article: Kernel-based malware scanning

It doesn't work if checksummed on a file-by-file basis: if the file is 
large enough you can DoS-attack the system just by changing a single byte 
every so often (oops, the whole file has to be reread...)

Checksummed blocks *do* work, and are useful to detect a variety of 
disk-incurred problems like writes that accidentally landed in the wrong 
place and so on. But this doesn't help to detect malware because malware 
is using exactly the same syscalls as non-malware. If used for that 
purpose it becomes like the UK ID card, where what they really want is an 
`I am not a terrorist' card...

What Talpa is doing, instead, is using what amounts to a huge mugshot 
database of known bad guys. Unfortunately for them there's no right time 
to check the data written against the mugshot, and whatever method they 
use the next generation of malware will specifically evade...

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds