Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux
interfaceforon access scanning
[Posted August 5, 2008 by corbet]
| From: |
| Alan Cox <alan-AT-lxorguk.ukuu.org.uk> |
| To: |
| Greg KH <greg-AT-kroah.com> |
| Subject: |
| Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux
interfaceforon access scanning |
| Date: |
| Tue, 5 Aug 2008 21:17:32 +0100 |
| Message-ID: |
| <20080805211732.1bb4346e@lxorguk.ukuu.org.uk> |
| Cc: |
| "Press, Jonathan" <Jonathan.Press-AT-ca.com>,
Arjan van de Ven <arjan-AT-infradead.org>,
Eric Paris <eparis-AT-redhat.com>, linux-kernel-AT-vger.kernel.org,
malware-list-AT-lists.printk.net,
linux-security-module-AT-vger.kernel.org |
| Archive‑link: | |
Article |
> > However, I want to point out that scanning on close is still an integral
> > part of AV protection, even if intercepting opens and execs
> > theoretically catches everything.
>
> Great, then put a hook in glibc and catch all closes and then kick off
> your scanning.
kill -9
deferred close via mmap
etc etc etc
You can't just armwave it into glibc, that doesn't hold water. You also
have shared state between processes (index on last close of a handle
shared by several threads or processes).
Same problem you have in the indexing business (which also wants the
close hook) - aside from all the practical issues that LD_PRELOAD tends
to turn up.
I'm not actually interested in the AV stuff, but content indexing I do
care about and we do need a way to get notification up to user space.
Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
