User: Password:
|
|
Subscribe / Log in / New account

Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning

From:  Alan Cox <alan-AT-lxorguk.ukuu.org.uk>
To:  Greg KH <greg-AT-kroah.com>
Subject:  Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning
Date:  Tue, 5 Aug 2008 21:17:32 +0100
Message-ID:  <20080805211732.1bb4346e@lxorguk.ukuu.org.uk>
Cc:  "Press, Jonathan" <Jonathan.Press-AT-ca.com>, Arjan van de Ven <arjan-AT-infradead.org>, Eric Paris <eparis-AT-redhat.com>, linux-kernel-AT-vger.kernel.org, malware-list-AT-lists.printk.net, linux-security-module-AT-vger.kernel.org
Archive-link:  Article

> > However, I want to point out that scanning on close is still an integral
> > part of AV protection, even if intercepting opens and execs
> > theoretically catches everything.
> 
> Great, then put a hook in glibc and catch all closes and then kick off
> your scanning.

kill -9
deferred close via mmap
etc etc etc

You can't just armwave it into glibc, that doesn't hold water. You also
have shared state between processes (index on last close of a handle
shared by several threads or processes).

Same problem you have in the indexing business (which also wants the
close hook) - aside from all the practical issues that LD_PRELOAD tends
to turn up.

I'm not actually interested in the AV stuff, but content indexing I do
care about and we do need a way to get notification up to user space.

Alan
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html



(Log in to post comments)


Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds