User: Password:
Subscribe / Log in / New account

Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning

From:  Alan Cox <>
To:  Greg KH <>
Subject:  Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfaceforon access scanning
Date:  Tue, 5 Aug 2008 21:17:32 +0100
Message-ID:  <>
Cc:  "Press, Jonathan" <>, Arjan van de Ven <>, Eric Paris <>,,,
Archive-link:  Article

> > However, I want to point out that scanning on close is still an integral
> > part of AV protection, even if intercepting opens and execs
> > theoretically catches everything.
> Great, then put a hook in glibc and catch all closes and then kick off
> your scanning.

kill -9
deferred close via mmap
etc etc etc

You can't just armwave it into glibc, that doesn't hold water. You also
have shared state between processes (index on last close of a handle
shared by several threads or processes).

Same problem you have in the indexing business (which also wants the
close hook) - aside from all the practical issues that LD_PRELOAD tends
to turn up.

I'm not actually interested in the AV stuff, but content indexing I do
care about and we do need a way to get notification up to user space.

To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to
More majordomo info at

(Log in to post comments)

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds