From: Pavel Machek <pavel@suse.cz>
To: tvrtko.ursulin@sophos.com
Cc: Theodore Tso <tytso@mit.edu>, Alan Cox <alan@lxorguk.ukuu.org.uk>,
Arjan van de Ven <arjan@infradead.org>,
Adrian Bunk <bunk@kernel.org>,
capibara@xs4all.nl, Casey Schaufler <casey@schaufler-ca.com>,
davecb@sun.com, david@lang.hm,
linux-kernel <linux-kernel@vger.kernel.org>,
linux-security-module@vger.kernel.org,
malware-list@lists.printk.net,
malware-list-bounces@dmesg.printk.net,
Mihai Don??u <mdontu@bitdefender.com>,
Peter Dolding <oiaohm@gmail.com>,
rmeijer@xs4all.nl
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning
Date: Tue, 19 Aug 2008 00:40:58 +0200 [thread overview]
Message-ID: <20080818224058.GA2311@elf.ucw.cz> (raw)
In-Reply-To: <20080818153212.6A6FD33687F@pmx1.sophos.com>
Hi!
> > On Mon, Aug 18, 2008 at 02:15:24PM +0100, tvrtko.ursulin@sophos.com
> wrote:
> > > Then there is still a question of who allows some binary to declare
> itself
> > > exempt. If that decision was a mistake, or it gets compromised
> security
> > > will be off. A very powerful mechanism which must not be easily
> > > accessible. With a good cache your worries go away even without a
> scheme
> > > like this.
> >
> > I have one word for you --- bittorrent. If you are downloading a very
> > large torrent (say approximately a gigabyte), and it contains many
> > pdf's that are say a few megabytes a piece, and things are coming in
> > tribbles, having either a indexing scanner or an AV scanner wake up
> > and rescan the file from scratch each time a tiny piece of the pdf
> > comes in is going to eat your machine alive....
>
> Huh? I was never advocating re-scan after each modification and I even
> explicitly said it does not make sense for AV not only for performance but
> because it will be useless most of the time. I thought sending out
> modified notification on close makes sense because it is a natural point,
> unless someone is trying to subvert which is out of scope. Other
> have
Why do you think non-malicious applications won't write after close /
keep file open forever?
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
next prev parent reply other threads:[~2008-08-18 22:39 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.DEB.1.10.0808180444390.12859@asgard.lang.hm>
[not found] ` <20080818131628.1C2A22FE82F@pmx1.sophos.com>
2008-08-18 14:25 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning Theodore Tso
2008-08-18 15:31 ` tvrtko.ursulin
2008-08-18 15:31 ` Alan Cox
2008-08-18 13:42 ` David Collier-Brown
2008-08-18 17:53 ` Alan Cox
2008-08-18 18:13 ` david
2008-08-18 15:58 ` tvrtko.ursulin
2008-08-18 17:13 ` david
2008-08-18 16:15 ` Eric Paris
2008-08-18 16:15 ` Alan Cox
2008-08-18 16:54 ` douglas.leeder
2008-08-18 16:40 ` Alan Cox
2008-08-18 17:28 ` Eric Paris
2008-08-18 17:25 ` Alan Cox
2008-08-18 17:54 ` Eric Paris
2008-08-18 18:30 ` Eric Paris
2008-08-18 18:51 ` Alan Cox
2008-08-18 18:35 ` Jan Harkes
2008-08-18 18:46 ` Eric Paris
2008-08-18 19:04 ` david
2008-08-20 2:44 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for " david
2008-08-20 15:15 ` Eric Paris
2008-08-20 17:33 ` david
2008-08-20 19:26 ` Eric Paris
2008-08-21 0:42 ` david
2008-08-20 17:50 ` david
2008-08-21 14:35 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface " douglas.leeder
2008-08-21 21:19 ` david
2008-08-22 15:09 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for " Pavel Machek
2008-08-23 7:28 ` david
2008-08-18 19:32 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on " Jan Harkes
2008-08-18 17:38 ` david
2008-08-18 17:29 ` david
2008-08-18 17:39 ` Eric Paris
2008-08-18 18:09 ` david
2008-08-18 18:34 ` Eric Paris
2008-08-18 17:07 ` david
2008-08-19 8:40 ` tvrtko.ursulin
2008-08-18 22:40 ` Pavel Machek [this message]
2008-08-18 23:07 ` Eric Paris
2008-08-19 1:15 ` Peter Dolding
2008-08-19 8:09 ` douglas.leeder
2008-08-19 11:08 ` Peter Dolding
[not found] ` <20080819114040.2FD1B336880@pmx1.sophos.com>
2008-08-20 3:03 ` Peter Dolding
2008-08-18 16:28 ` douglas.leeder
[not found] <alpine.DEB.1.10.0808180951470.15109@asgard.lang.hm>
2008-08-19 8:31 ` tvrtko.ursulin
2008-08-19 16:07 ` david
2008-08-19 12:34 ` David Collier-Brown
[not found] <20080818101625.85CA12FE876@pmx1.sophos.com>
2008-08-18 10:35 ` douglas.leeder
2008-08-18 12:13 ` david
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080818224058.GA2311@elf.ucw.cz \
--to=pavel@suse.cz \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=bunk@kernel.org \
--cc=capibara@xs4all.nl \
--cc=casey@schaufler-ca.com \
--cc=davecb@sun.com \
--cc=david@lang.hm \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=malware-list-bounces@dmesg.printk.net \
--cc=malware-list@lists.printk.net \
--cc=mdontu@bitdefender.com \
--cc=oiaohm@gmail.com \
--cc=rmeijer@xs4all.nl \
--cc=tvrtko.ursulin@sophos.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).