linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: david@lang.hm
To: tvrtko.ursulin@sophos.com
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>,
	Arjan van de Ven <arjan@infradead.org>,
	Adrian Bunk <bunk@kernel.org>,
	capibara@xs4all.nl, Casey Schaufler <casey@schaufler-ca.com>,
	davecb@sun.com, linux-kernel <linux-kernel@vger.kernel.org>,
	linux-security-module@vger.kernel.org,
	malware-list@lists.printk.net,
	malware-list-bounces@dmesg.printk.net,
	Mihai Don??u <mdontu@bitdefender.com>,
	Peter Dolding <oiaohm@gmail.com>, Pavel Machek <pavel@suse.cz>,
	rmeijer@xs4all.nl, Theodore Tso <tytso@mit.edu>
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro	to a linux interface for on access scanning
Date: Mon, 18 Aug 2008 10:13:16 -0700 (PDT)	[thread overview]
Message-ID: <alpine.DEB.1.10.0808181011060.15109@asgard.lang.hm> (raw)
In-Reply-To: <20080818155925.DC73A376469@pmx1.sophos.com>

On Mon, 18 Aug 2008, tvrtko.ursulin@sophos.com wrote:

> Alan Cox <alan@lxorguk.ukuu.org.uk> wrote on 18/08/2008 16:31:48:
>
>>> Huh? I was never advocating re-scan after each modification and I even
>
>>> explicitly said it does not make sense for AV not only for performance
> but
>>> because it will be useless most of the time. I thought sending out
>>> modified notification on close makes sense because it is a natural
> point,
>>> unless someone is trying to subvert which is out of scope. Other have
>>> suggested time delay and lumping up.
>>
>> You need a bit more than close I imagine, otherwise I can simply keep
> the
>> file open forever. There are lots of cases where that would be natural
>> behaviour - eg if I was to attack some kind of web forum and insert a
>> windows worm into the forum which was database backed the file would
>> probably never be closed. That seems to be one of the more common attack
>> vectors nowdays.
>
> Yes, I agree that modification notifications are needed in some cases.
>
>>> Also, just to double-check, you don't think AV scanning would read the
>
>>> whole file on every write?
>>
>> So you need the system to accumulate some kind of complete in memory set
>> of 'dirty' range lists on all I/O ? That is going to have pretty bad
>> performance impacts and serialization.
>
> No, I was just saying scanning is pretty smart, it's not some brute force
> method of scan all data that is there. It has a file type detection and
> what and how to scan is determined by that. If a file does not resemble
> any file type I don't think it gets scanned. For example take couple of
> gigabytes of zeros and try to scan that with some products. I don't think
> they will try to read the whole file.

trying to include details of where each file was updated means that you 
can't just set a single 'dirty' flag for the file (or clear the 'scanned' 
flags), you instead need to detect and notify on every write.

this is a HUGE additional load on the notification mechansim and the 
software that recieves the notifications.

just sending "fix X was scanned and now isn't" is going to be bad enough, 
you _really_ don't want to do this for every write.

David Lang

  reply	other threads:[~2008-08-18 17:13 UTC|newest]

Thread overview: 50+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <alpine.DEB.1.10.0808180444390.12859@asgard.lang.hm>
     [not found] ` <20080818131628.1C2A22FE82F@pmx1.sophos.com>
2008-08-18 14:25   ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning Theodore Tso
2008-08-18 15:31     ` tvrtko.ursulin
2008-08-18 15:31       ` Alan Cox
2008-08-18 13:42         ` David Collier-Brown
2008-08-18 17:53           ` Alan Cox
2008-08-18 18:13           ` david
2008-08-18 15:58         ` tvrtko.ursulin
2008-08-18 17:13           ` david [this message]
2008-08-18 16:15       ` Eric Paris
2008-08-18 16:15         ` Alan Cox
2008-08-18 16:54           ` douglas.leeder
2008-08-18 16:40             ` Alan Cox
2008-08-18 17:28           ` Eric Paris
2008-08-18 17:25             ` Alan Cox
2008-08-18 17:54               ` Eric Paris
2008-08-18 18:30                 ` Eric Paris
2008-08-18 18:51                   ` Alan Cox
2008-08-18 18:35                 ` Jan Harkes
2008-08-18 18:46                   ` Eric Paris
2008-08-18 19:04                     ` david
2008-08-20  2:44                       ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for " david
2008-08-20 15:15                         ` Eric Paris
2008-08-20 17:33                           ` david
2008-08-20 19:26                             ` Eric Paris
2008-08-21  0:42                               ` david
2008-08-20 17:50                           ` david
2008-08-21 14:35                           ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface " douglas.leeder
2008-08-21 21:19                             ` david
2008-08-22 15:09                         ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for " Pavel Machek
2008-08-23  7:28                           ` david
2008-08-18 19:32                     ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on " Jan Harkes
2008-08-18 17:38             ` david
2008-08-18 17:29         ` david
2008-08-18 17:39           ` Eric Paris
2008-08-18 18:09             ` david
2008-08-18 18:34               ` Eric Paris
2008-08-18 17:07       ` david
2008-08-19  8:40         ` tvrtko.ursulin
2008-08-18 22:40       ` Pavel Machek
2008-08-18 23:07         ` Eric Paris
2008-08-19  1:15           ` Peter Dolding
2008-08-19  8:09             ` douglas.leeder
2008-08-19 11:08               ` Peter Dolding
     [not found]                 ` <20080819114040.2FD1B336880@pmx1.sophos.com>
2008-08-20  3:03                   ` Peter Dolding
2008-08-18 16:28     ` douglas.leeder
     [not found] <alpine.DEB.1.10.0808180951470.15109@asgard.lang.hm>
2008-08-19  8:31 ` tvrtko.ursulin
2008-08-19 16:07   ` david
2008-08-19 12:34     ` David Collier-Brown
     [not found] <20080818101625.85CA12FE876@pmx1.sophos.com>
2008-08-18 10:35 ` douglas.leeder
2008-08-18 12:13   ` david

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=alpine.DEB.1.10.0808181011060.15109@asgard.lang.hm \
    --to=david@lang.hm \
    --cc=alan@lxorguk.ukuu.org.uk \
    --cc=arjan@infradead.org \
    --cc=bunk@kernel.org \
    --cc=capibara@xs4all.nl \
    --cc=casey@schaufler-ca.com \
    --cc=davecb@sun.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=malware-list-bounces@dmesg.printk.net \
    --cc=malware-list@lists.printk.net \
    --cc=mdontu@bitdefender.com \
    --cc=oiaohm@gmail.com \
    --cc=pavel@suse.cz \
    --cc=rmeijer@xs4all.nl \
    --cc=tvrtko.ursulin@sophos.com \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).