|From:||Alan Cox <alan-AT-lxorguk.ukuu.org.uk>|
|To:||Greg KH <greg-AT-kroah.com>|
|Subject:||Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning|
|Date:||Tue, 5 Aug 2008 21:17:32 +0100|
|Cc:||"Press, Jonathan" <Jonathan.Press-AT-ca.com>, Arjan van de Ven <arjan-AT-infradead.org>, Eric Paris <eparis-AT-redhat.com>, linux-kernel-AT-vger.kernel.org, malware-list-AT-lists.printk.net, linux-security-module-AT-vger.kernel.org|
> > However, I want to point out that scanning on close is still an integral > > part of AV protection, even if intercepting opens and execs > > theoretically catches everything. > > Great, then put a hook in glibc and catch all closes and then kick off > your scanning. kill -9 deferred close via mmap etc etc etc You can't just armwave it into glibc, that doesn't hold water. You also have shared state between processes (index on last close of a handle shared by several threads or processes). Same problem you have in the indexing business (which also wants the close hook) - aside from all the practical issues that LD_PRELOAD tends to turn up. I'm not actually interested in the AV stuff, but content indexing I do care about and we do need a way to get notification up to user space. Alan -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to firstname.lastname@example.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds