From: david@lang.hm
To: Eric Paris <eparis@redhat.com>
Cc: Jan Harkes <jaharkes@cs.cmu.edu>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
tvrtko.ursulin@sophos.com, Theodore Tso <tytso@mit.edu>,
davecb@sun.com, Adrian Bunk <bunk@kernel.org>,
linux-kernel <linux-kernel@vger.kernel.org>,
malware-list@lists.printk.net,
Casey Schaufler <casey@schaufler-ca.com>,
Arjan van de Ven <arjan@infradead.org>
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for access scanning
Date: Wed, 20 Aug 2008 10:50:52 -0700 (PDT) [thread overview]
Message-ID: <alpine.DEB.1.10.0808201034080.20991@asgard.lang.hm> (raw)
In-Reply-To: <1219245321.3389.82.camel@localhost.localdomain>
On Wed, 20 Aug 2008, Eric Paris wrote:
>> He is expecting the scanning software to set the policy
>> so there is no reason to have a system/distro defined policy
>
> I'm not sure of the definition of this 'policy' but, yes, I think all
> scanners should make their own decisions in their own little bubble.
I realized I need to reply to this part just after hitting send on the
reply to the rest of it.
part of the policy that needs to be set is when scans do and don't need to
be done.
you almost never want to have 'scans' take place when scanners access
files (the HSM restore is the only exception), and there are significant
performance benifits in exempting other programs as well.
you are saying that the decision of which programs to skip and which ones
to not skip should be the responsibility of the scanner. I disagree for a
couple of reasons
1. I don't think that the scanner can really know what program is trying
to do the access.
2. I think the policy of which files to limit to scanned data and which
ones to allow access to unscanned data should be a sysadmin decision
(assisted by the distro), not something set through the scanning software.
In sort I don't trust Symantec, Macafee, etc to make the correct decisions
for all the different linux distros out there, or for the different
scanners to provide sane, consistant interfaces to specify this sort of
thing. I expect each of them to take the attitude that they know what's
best, and hard-code the policy with little (if any) allowance for
exceptions, and that exception list would be managed differently for each
scanner.
David Lang
next prev parent reply other threads:[~2008-08-20 17:51 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <alpine.DEB.1.10.0808180444390.12859@asgard.lang.hm>
[not found] ` <20080818131628.1C2A22FE82F@pmx1.sophos.com>
2008-08-18 14:25 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on access scanning Theodore Tso
2008-08-18 15:31 ` tvrtko.ursulin
2008-08-18 15:31 ` Alan Cox
2008-08-18 13:42 ` David Collier-Brown
2008-08-18 17:53 ` Alan Cox
2008-08-18 18:13 ` david
2008-08-18 15:58 ` tvrtko.ursulin
2008-08-18 17:13 ` david
2008-08-18 16:15 ` Eric Paris
2008-08-18 16:15 ` Alan Cox
2008-08-18 16:54 ` douglas.leeder
2008-08-18 16:40 ` Alan Cox
2008-08-18 17:28 ` Eric Paris
2008-08-18 17:25 ` Alan Cox
2008-08-18 17:54 ` Eric Paris
2008-08-18 18:30 ` Eric Paris
2008-08-18 18:51 ` Alan Cox
2008-08-18 18:35 ` Jan Harkes
2008-08-18 18:46 ` Eric Paris
2008-08-18 19:04 ` david
2008-08-20 2:44 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for for " david
2008-08-20 15:15 ` Eric Paris
2008-08-20 17:33 ` david
2008-08-20 19:26 ` Eric Paris
2008-08-21 0:42 ` david
2008-08-20 17:50 ` david [this message]
2008-08-21 14:35 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface " douglas.leeder
2008-08-21 21:19 ` david
2008-08-22 15:09 ` [malware-list] scanner interface proposal was: [TALPA] Intro linux interface for " Pavel Machek
2008-08-23 7:28 ` david
2008-08-18 19:32 ` [malware-list] scanner interface proposal was: [TALPA] Intro to a linux interface for on " Jan Harkes
2008-08-18 17:38 ` david
2008-08-18 17:29 ` david
2008-08-18 17:39 ` Eric Paris
2008-08-18 18:09 ` david
2008-08-18 18:34 ` Eric Paris
2008-08-18 17:07 ` david
2008-08-19 8:40 ` tvrtko.ursulin
2008-08-18 22:40 ` Pavel Machek
2008-08-18 23:07 ` Eric Paris
2008-08-19 1:15 ` Peter Dolding
2008-08-19 8:09 ` douglas.leeder
2008-08-19 11:08 ` Peter Dolding
[not found] ` <20080819114040.2FD1B336880@pmx1.sophos.com>
2008-08-20 3:03 ` Peter Dolding
2008-08-18 16:28 ` douglas.leeder
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alpine.DEB.1.10.0808201034080.20991@asgard.lang.hm \
--to=david@lang.hm \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arjan@infradead.org \
--cc=bunk@kernel.org \
--cc=casey@schaufler-ca.com \
--cc=davecb@sun.com \
--cc=eparis@redhat.com \
--cc=jaharkes@cs.cmu.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=malware-list@lists.printk.net \
--cc=tvrtko.ursulin@sophos.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).