On Thu 2007-11-29 23:58:44, Andi Kleen wrote:
> Alan Cox <[EMAIL PROTECTED]> writes:
> >
> > The simple case is
> > open
> > write cathedral and bazaar in some order
> > close
> > process -> label eric_t>
> >
> > open (eric_t) - SELinux "no"
> >
> >
> > Anyone smart will then
On Thu 2007-11-29 23:58:44, Andi Kleen wrote:
Alan Cox [EMAIL PROTECTED] writes:
The simple case is
open
write cathedral and bazaar in some order
close
trap close - process - label eric_t
open (eric_t) - SELinux no
Anyone smart will then write it out of
Jon Masters wrote:
On Mon, 2007-12-03 at 23:45 +0100, Bodo Eggert wrote:
Jon Masters <[EMAIL PROTECTED]> wrote:
On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
To lift Alan's example, a naive first implementation
would be to
Jon Masters wrote:
On Mon, 2007-12-03 at 23:45 +0100, Bodo Eggert wrote:
Jon Masters [EMAIL PROTECTED] wrote:
On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
On Nov 29, 2007 10:56 AM, Jon Masters [EMAIL PROTECTED] wrote:
To lift Alan's example, a naive first implementation
would be to
On Mon, 2007-12-03 at 23:45 +0100, Bodo Eggert wrote:
> Jon Masters <[EMAIL PROTECTED]> wrote:
> > On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
> >> On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
> >> > On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
> >> > > On Nov 29,
Jon Masters <[EMAIL PROTECTED]> wrote:
> On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
>> On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
>> > On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
>> > > On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
>> > > > >
Jon Masters [EMAIL PROTECTED] wrote:
On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
On Nov 29, 2007 10:56 AM, Jon Masters [EMAIL PROTECTED] wrote:
On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
On Nov 29, 2007 9:36 AM, Alan Cox [EMAIL PROTECTED] wrote:
closed. But more
On Mon, 2007-12-03 at 23:45 +0100, Bodo Eggert wrote:
Jon Masters [EMAIL PROTECTED] wrote:
On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
On Nov 29, 2007 10:56 AM, Jon Masters [EMAIL PROTECTED] wrote:
On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
On Nov 29, 2007 9:36 AM, Alan
Hi!
> >Well... I'd really like to know what A/V people are trying to do.
> >
> >Indexing services are really different, and doable with recursive
> >m-time Jan is preparing...
> >
> m-time <=> modification time?
Yep.
> What am I preparing?
Not you, Jan Kara. Sorry.
On Dec 2 2007 22:56, Pavel Machek wrote:
>>
>> We probably want to hear related usages as well - what *besides*
>> A/V would be interested? Indexing services?
>
Indexing services would probably benefit much more from a
recursive-aware inotify, though that has its own sort of problems to
solve
On Sun 2007-12-02 16:09:55, [EMAIL PROTECTED] wrote:
> On Sun, 02 Dec 2007 21:22:40 +0100, Pavel Machek said:
> > Well, if you only want to detect viruses _sometimes_, you can just
> > LD_PRELOAD your scanner.
>
> And for some use cases, that probably *is* the best answer..
I'd say so.
> > I
On Sun, 02 Dec 2007 21:22:40 +0100, Pavel Machek said:
> Well, if you only want to detect viruses _sometimes_, you can just
> LD_PRELOAD your scanner.
And for some use cases, that probably *is* the best answer..
> I guess the A/V people should describe what they are trying to do, as
> in
>
>
Hi!
> > So what you are trying to do is 'application may never read bad
> > sequence of bits from disk', right?
>
> No, in many of the use cases, we're trying to do "if application reads certain
> specified sequences of bits from disk we know about it", which is subtly
> different. Often,
> and I don't think you can mmap() a socket anyhow,
> right?
You can mmap packet sockets.
-Andi
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read
On Sun, 02 Dec 2007 14:44:48 -0500
[EMAIL PROTECTED] wrote:
> On Sat, 01 Dec 2007 08:43:32 GMT, Pavel Machek said:
>
> > So what you are trying to do is 'application may never read bad
> > sequence of bits from disk', right?
>
> No, in many of the use cases, we're trying to do "if application
>
On Sat, 01 Dec 2007 08:43:32 GMT, Pavel Machek said:
> So what you are trying to do is 'application may never read bad
> sequence of bits from disk', right?
No, in many of the use cases, we're trying to do "if application reads certain
specified sequences of bits from disk we know about it",
Hi!
> > Personally I admit I never quite saw the point of intercepting all
> > file accesses for everything. That will just always be slow as often
> > demonstrated on other operating systems and racey and unreliable too.
> > And at least the internal daemons should be already reasonably well
> >
Hi!
Personally I admit I never quite saw the point of intercepting all
file accesses for everything. That will just always be slow as often
demonstrated on other operating systems and racey and unreliable too.
And at least the internal daemons should be already reasonably well
protected
On Sun, 02 Dec 2007 14:44:48 -0500
[EMAIL PROTECTED] wrote:
On Sat, 01 Dec 2007 08:43:32 GMT, Pavel Machek said:
So what you are trying to do is 'application may never read bad
sequence of bits from disk', right?
No, in many of the use cases, we're trying to do if application
reads
and I don't think you can mmap() a socket anyhow,
right?
You can mmap packet sockets.
-Andi
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the
On Sat, 01 Dec 2007 08:43:32 GMT, Pavel Machek said:
So what you are trying to do is 'application may never read bad
sequence of bits from disk', right?
No, in many of the use cases, we're trying to do if application reads certain
specified sequences of bits from disk we know about it, which
Hi!
So what you are trying to do is 'application may never read bad
sequence of bits from disk', right?
No, in many of the use cases, we're trying to do if application reads certain
specified sequences of bits from disk we know about it, which is subtly
different. Often, *absolute*
On Sun, 02 Dec 2007 21:22:40 +0100, Pavel Machek said:
Well, if you only want to detect viruses _sometimes_, you can just
LD_PRELOAD your scanner.
And for some use cases, that probably *is* the best answer..
I guess the A/V people should describe what they are trying to do, as
in
On Sun 2007-12-02 16:09:55, [EMAIL PROTECTED] wrote:
On Sun, 02 Dec 2007 21:22:40 +0100, Pavel Machek said:
Well, if you only want to detect viruses _sometimes_, you can just
LD_PRELOAD your scanner.
And for some use cases, that probably *is* the best answer..
I'd say so.
I guess the
On Dec 2 2007 22:56, Pavel Machek wrote:
We probably want to hear related usages as well - what *besides*
A/V would be interested? Indexing services?
Indexing services would probably benefit much more from a
recursive-aware inotify, though that has its own sort of problems to
solve first.
Hi!
Well... I'd really like to know what A/V people are trying to do.
Indexing services are really different, and doable with recursive
m-time Jan is preparing...
m-time = modification time?
Yep.
What am I preparing?
Not you, Jan Kara. Sorry.
On Fri, 30 Nov 2007, Crispin Cowan wrote:
> > The only case of this so far has been Multiadm, although there seems to be
> > no reason for it to stay out of tree.
> >
> Dazuko. It has the same yucky code issues as Talpa, but AFAIK is pure
> GPL2 and thus is clean on the license issues.
>
>
James Morris wrote:
> On Fri, 30 Nov 2007, Crispin Cowan wrote:
>> restored faces a lot of challenges, but I hope that some kind of
>> solution can be found, because the alternative is to effectively force
>> vendors like Sophos to do it the "dirty" way by fishing in memory for
>> the syscall
On Fri, 30 Nov 2007, Crispin Cowan wrote:
> restored faces a lot of challenges, but I hope that some kind of
> solution can be found, because the alternative is to effectively force
> vendors like Sophos to do it the "dirty" way by fishing in memory for
> the syscall table.
I don't think this is
Tvrtko A. Ursulin wrote:
> During one recent LKML discussion
> (http://marc.info/?l=linux-kernelm=119267398722085w=2) about
> LSM going
> static you called for LSM users to speak up.
Great big clue: If "LSM" is in the subject line, then cc: the LSM list
[EMAIL PROTECTED]
For LSM readers seeing
Al Viro wrote
> On Thu, Nov 29, 2007 at 03:12:38PM -0700, Justin Banks wrote:
>
> > It's not perfect, but as was recently pointed out, if you can only get
> > 98% of the way there rather than 100% is that a reason for not trying to
> > make it possible?
>
> BTW, that's a fine example of a common
> Fortunately for all concerned, although Alan's self-modifying code is indeed a
> possibility, it's much less of an issue than the sort of malware that can be
> found with a simple "find this 27-byte sequence, which will be found in either
> block 36 or 37 of the file"
Thats a very old model of
On Fri, 30 Nov 2007, Crispin Cowan wrote:
restored faces a lot of challenges, but I hope that some kind of
solution can be found, because the alternative is to effectively force
vendors like Sophos to do it the dirty way by fishing in memory for
the syscall table.
I don't think this is quite
James Morris wrote:
On Fri, 30 Nov 2007, Crispin Cowan wrote:
restored faces a lot of challenges, but I hope that some kind of
solution can be found, because the alternative is to effectively force
vendors like Sophos to do it the dirty way by fishing in memory for
the syscall table.
I
On Fri, 30 Nov 2007, Crispin Cowan wrote:
The only case of this so far has been Multiadm, although there seems to be
no reason for it to stay out of tree.
Dazuko. It has the same yucky code issues as Talpa, but AFAIK is pure
GPL2 and thus is clean on the license issues.
That these
Fortunately for all concerned, although Alan's self-modifying code is indeed a
possibility, it's much less of an issue than the sort of malware that can be
found with a simple find this 27-byte sequence, which will be found in either
block 36 or 37 of the file
Thats a very old model of
Al Viro wrote
On Thu, Nov 29, 2007 at 03:12:38PM -0700, Justin Banks wrote:
It's not perfect, but as was recently pointed out, if you can only get
98% of the way there rather than 100% is that a reason for not trying to
make it possible?
BTW, that's a fine example of a common fallacy:
Tvrtko A. Ursulin wrote:
During one recent LKML discussion
(http://marc.info/?l=linux-kernelamp;m=119267398722085amp;w=2) about
LSM going
static you called for LSM users to speak up.
Great big clue: If LSM is in the subject line, then cc: the LSM list
[EMAIL PROTECTED]
For LSM readers seeing
On Thu, 29 Nov 2007 18:34:33 EST, Jon Masters said:
>
> On Thu, 2007-11-29 at 21:45 +, Alan Cox wrote:
> > > Jargon File in all its glory. And if you still think you could look for
> > > patterns, how about executable code that self-modifies in random ways
> > > but when executed as a whole
On Thu, Nov 29, 2007 at 03:12:38PM -0700, Justin Banks wrote:
> It's not perfect, but as was recently pointed out, if you can only get
> 98% of the way there rather than 100% is that a reason for not trying to
> make it possible?
BTW, that's a fine example of a common fallacy: "$FOO is 98% of
On Thu, 29 Nov 2007, Al Viro wrote:
> Incidentally, I would really love to see the threat profile we are talking
> about.
Exactly.
Please come up with a set of requirements that can be reviewed by the core
kernel folk, and perhaps then focus on how to meet those requirements once
they have
On Thu, 2007-11-29 at 21:45 +, Alan Cox wrote:
> > Jargon File in all its glory. And if you still think you could look for
> > patterns, how about executable code that self-modifies in random ways
> > but when executed as a whole actually has the functionality of fetchmail
> > embedded within
On Thu, 2007-11-29 at 15:56 -0500, [EMAIL PROTECTED] wrote:
> On Thu, 29 Nov 2007 14:45:51 EST, Jon Masters said:
> > Ah, but I could write a sequence of pages that on their own looked
> > garbage, but in reality, when executed would print out a copy of the
> > Jargon File in all its glory. And
Alan Cox <[EMAIL PROTECTED]> writes:
>
> The simple case is
> open
> write cathedral and bazaar in some order
> close
>process -> label eric_t>
>
> open (eric_t) - SELinux "no"
>
>
> Anyone smart will then write it out of order and keep the file open, or
That would
Alan Cox wrote
> > Jargon File in all its glory. And if you still think you could look for
> > patterns, how about executable code that self-modifies in random ways
> > but when executed as a whole actually has the functionality of fetchmail
> > embedded within it? How would you guard against
On Thu, Nov 29, 2007 at 03:56:28PM -0500, [EMAIL PROTECTED] wrote:
> Yes, most of these schemes *can* be bypassed because some malicious code does
> a
> mmap() or similar trick. But what is being overlooked here is that in most
> cases, what is *desired* is a way to filter things being handled by
> Jargon File in all its glory. And if you still think you could look for
> patterns, how about executable code that self-modifies in random ways
> but when executed as a whole actually has the functionality of fetchmail
> embedded within it? How would you guard against that?
Thats a problem for
Alan Cox <[EMAIL PROTECTED]> writes:
> If I want I can have 16 threads executing code in a shared object being
> written to by ten other programs at once and shared over a network while
> we are at it. Its probably not a good idea but I can do it if I have
> reason to.
Actually the kernel
On Thu, 29 Nov 2007 14:45:51 EST, Jon Masters said:
> Ah, but I could write a sequence of pages that on their own looked
> garbage, but in reality, when executed would print out a copy of the
> Jargon File in all its glory. And if you still think you could look for
> patterns, how about executable
On Thu, 2007-11-29 at 11:11 -0800, Ray Lee wrote:
> On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
> > On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
> > > On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
> > > > > closed. But more importantly further access to it
On Nov 29, 2007 10:56 AM, Jon Masters <[EMAIL PROTECTED]> wrote:
> On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
> > On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
> > > > closed. But more importantly further access to it can be blocked until
> > > > appropriate actions are taken
On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
> On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
> > > closed. But more importantly further access to it can be blocked until
> > > appropriate actions are taken which also applies with your example, no? Is
> >
> > That bit is hard-
Ray Lee wrote
> On Nov 29, 2007 9:45 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> > > Perhaps if you looked at this outside of a file-server scenario, the
> > > problem would be clearer? Anti-malware companies want to check
> > > anything written to disk on a system, either at write time or blocking
>
On Nov 29, 2007 9:36 AM, Alan Cox <[EMAIL PROTECTED]> wrote:
> > closed. But more importantly further access to it can be blocked until
> > appropriate actions are taken which also applies with your example, no? Is
>
> That bit is hard- very hard.
In some sense it seems like the same problem
On Thu, 2007-11-29 at 11:19 -0700, Justin Banks wrote:
> Ray Lee wrote
> > On Nov 29, 2007 9:45 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> > > > Perhaps if you looked at this outside of a file-server scenario, the
> > > > problem would be clearer? Anti-malware companies want to check
> > > >
On Nov 29, 2007 9:45 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> > Perhaps if you looked at this outside of a file-server scenario, the
> > problem would be clearer? Anti-malware companies want to check
> > anything written to disk on a system, either at write time or blocking
> > the open/mmap. That
On Thu, Nov 29, 2007 at 09:35:56AM -0800, Ray Lee wrote:
> Perhaps if you looked at this outside of a file-server scenario, the
> problem would be clearer? Anti-malware companies want to check
> anything written to disk on a system, either at write time or blocking
> the open/mmap. That means
On Thu, Nov 29, 2007 at 09:35:56AM -0800, Ray Lee wrote:
> On Nov 29, 2007 9:03 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> > On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
> > >
> > > On Nov 29 2007 08:47, Greg KH wrote:
> > > >On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters
> closed. But more importantly further access to it can be blocked until
> appropriate actions are taken which also applies with your example, no? Is
That bit is hard- very hard.
> it possible to open for execute and have dirty mappings (or open for
> write) on a file at the same time?
If I
On Nov 29, 2007 9:03 AM, Greg KH <[EMAIL PROTECTED]> wrote:
> On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
> >
> > On Nov 29 2007 08:47, Greg KH wrote:
> > >On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> > >> On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> >
> Can we please stop this useless discussion? Trying to check the content
> of files to see whether they might be malicious is inherently braindead,
> and no amounts of plugins in random places will fix this.
Actually it is quite effective especially for files whose content is
expected not to be
On Thu, Nov 29, 2007 at 12:05:36PM -0500, Jon Masters wrote:
>
> On Thu, 2007-11-29 at 08:47 -0800, Greg KH wrote:
> > On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> > > On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> > >
> > > > The easiest way is as Al described above, just
On Thu, 2007-11-29 at 08:47 -0800, Greg KH wrote:
> On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> > On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> >
> > > The easiest way is as Al described above, just have the userspace
> > > program that wrote the file to disk, check it
On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
>
> On Nov 29 2007 08:47, Greg KH wrote:
> >On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> >> On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> >>
> >> > The easiest way is as Al described above, just have the
On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
> >> But the problem is that this isn't just Samba, this is a countless
> >> myriad of different applications. And if one of them doesn't support
> >> on-access scanning, then the whole solution isn't worth using.
> >
> >Ok, which
On Nov 29 2007 08:47, Greg KH wrote:
>On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
>> On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
>>
>> > The easiest way is as Al described above, just have the userspace
>> > program that wrote the file to disk, check it then.
>>
>> But
On Thu, 29 Nov 2007 11:27:45 -0500
Jon Masters <[EMAIL PROTECTED]> wrote:
> On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
> > On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
> >
> > > So as there is no question the current code does some ugly things it is
> > > even more true that we
On Nov 29 2007 11:27, Jon Masters wrote:
>
>They (virus protection folks) generally think they want to intercept
>various system calls, such as open() and block until they have performed
>a scan operation on the file. I explained the mmap issue [...]
If open and close was everything, then that
On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
> On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
>
> > The easiest way is as Al described above, just have the userspace
> > program that wrote the file to disk, check it then.
>
> But the problem is that this isn't just Samba, this
On Thu, Nov 29, 2007 at 11:27:45AM -0500, Jon Masters wrote:
> On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
> > On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
> >
> > > So as there is no question the current code does some ugly things it is
> > > even more true that we would be even
[EMAIL PROTECTED] wrote on 28/11/2007 19:20:26:
> "Tvrtko A. Ursulin" <[EMAIL PROTECTED]> writes:
>
> > We here at Sophos (the fourth largest endpoint security vendor in
> the world)
> > have such a module called Talpa which is a part of our main
> endpoint security
> > product
>
> What is
On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
> The easiest way is as Al described above, just have the userspace
> program that wrote the file to disk, check it then.
But the problem is that this isn't just Samba, this is a countless
myriad of different applications. And if one of them
On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
> On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
>
> > So as there is no question the current code does some ugly things it is
> > even more true that we would be even more happy to use an official API.
>
> How about becoming involved in
Al Viro <[EMAIL PROTECTED]> wrote on 28/11/2007 18:30:40:
> On Wed, Nov 28, 2007 at 01:15:05PM -0500, [EMAIL PROTECTED] wrote:
> > (Note that the concept has interesting implications in the other
> direction as
> > well - rather than stopping you from reading a file that has
> malware, you
Alan Cox <[EMAIL PROTECTED]> wrote on 28/11/2007 19:50:42:
> > So as there is no question the current code does some ugly things it
is
> > even more true that we would be even more happy to use an official
API.
> > LSM was that and we were happily using it which we won't be able to do
if
>
Alan Cox [EMAIL PROTECTED] wrote on 28/11/2007 19:50:42:
So as there is no question the current code does some ugly things it
is
even more true that we would be even more happy to use an official
API.
LSM was that and we were happily using it which we won't be able to do
if
it
Al Viro [EMAIL PROTECTED] wrote on 28/11/2007 18:30:40:
On Wed, Nov 28, 2007 at 01:15:05PM -0500, [EMAIL PROTECTED] wrote:
(Note that the concept has interesting implications in the other
direction as
well - rather than stopping you from reading a file that has
malware, you could
in
On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
So as there is no question the current code does some ugly things it is
even more true that we would be even more happy to use an official API.
How about becoming involved in creating
On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
The easiest way is as Al described above, just have the userspace
program that wrote the file to disk, check it then.
But the problem is that this isn't just Samba, this is a countless
myriad of different applications. And if one of them
On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
The easiest way is as Al described above, just have the userspace
program that wrote the file to disk, check it then.
But the problem is that this isn't just Samba, this is a
On Thu, Nov 29, 2007 at 11:27:45AM -0500, Jon Masters wrote:
On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
So as there is no question the current code does some ugly things it is
even more true that we would be even more happy to
On Nov 29 2007 11:27, Jon Masters wrote:
They (virus protection folks) generally think they want to intercept
various system calls, such as open() and block until they have performed
a scan operation on the file. I explained the mmap issue [...]
If open and close was everything, then that would
On Thu, 29 Nov 2007 11:27:45 -0500
Jon Masters [EMAIL PROTECTED] wrote:
On Thu, 2007-11-29 at 11:12 +1100, James Morris wrote:
On Wed, 28 Nov 2007, [EMAIL PROTECTED] wrote:
So as there is no question the current code does some ugly things it is
even more true that we would be even
On Nov 29 2007 08:47, Greg KH wrote:
On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
The easiest way is as Al described above, just have the userspace
program that wrote the file to disk, check it then.
But the problem is
On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
But the problem is that this isn't just Samba, this is a countless
myriad of different applications. And if one of them doesn't support
on-access scanning, then the whole solution isn't worth using.
Ok, which specific
[EMAIL PROTECTED] wrote on 28/11/2007 19:20:26:
Tvrtko A. Ursulin [EMAIL PROTECTED] writes:
We here at Sophos (the fourth largest endpoint security vendor in
the world)
have such a module called Talpa which is a part of our main
endpoint security
product
What is a endpoint
On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
On Nov 29 2007 08:47, Greg KH wrote:
On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
The easiest way is as Al described above, just have the userspace
On Thu, 2007-11-29 at 08:47 -0800, Greg KH wrote:
On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
The easiest way is as Al described above, just have the userspace
program that wrote the file to disk, check it then.
On Nov 29, 2007 9:03 AM, Greg KH [EMAIL PROTECTED] wrote:
On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
On Nov 29 2007 08:47, Greg KH wrote:
On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
The easiest
Can we please stop this useless discussion? Trying to check the content
of files to see whether they might be malicious is inherently braindead,
and no amounts of plugins in random places will fix this.
Actually it is quite effective especially for files whose content is
expected not to be
On Thu, Nov 29, 2007 at 12:05:36PM -0500, Jon Masters wrote:
On Thu, 2007-11-29 at 08:47 -0800, Greg KH wrote:
On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
On Wed, 2007-11-28 at 17:07 -0800, Greg KH wrote:
The easiest way is as Al described above, just have the
closed. But more importantly further access to it can be blocked until
appropriate actions are taken which also applies with your example, no? Is
That bit is hard- very hard.
it possible to open for execute and have dirty mappings (or open for
write) on a file at the same time?
If I want
On Thu, Nov 29, 2007 at 09:35:56AM -0800, Ray Lee wrote:
On Nov 29, 2007 9:03 AM, Greg KH [EMAIL PROTECTED] wrote:
On Thu, Nov 29, 2007 at 05:53:33PM +0100, Jan Engelhardt wrote:
On Nov 29 2007 08:47, Greg KH wrote:
On Thu, Nov 29, 2007 at 11:36:12AM -0500, Jon Masters wrote:
On
On Thu, Nov 29, 2007 at 09:35:56AM -0800, Ray Lee wrote:
Perhaps if you looked at this outside of a file-server scenario, the
problem would be clearer? Anti-malware companies want to check
anything written to disk on a system, either at write time or blocking
the open/mmap. That means
On Nov 29, 2007 9:45 AM, Greg KH [EMAIL PROTECTED] wrote:
Perhaps if you looked at this outside of a file-server scenario, the
problem would be clearer? Anti-malware companies want to check
anything written to disk on a system, either at write time or blocking
the open/mmap. That means
On Nov 29, 2007 9:36 AM, Alan Cox [EMAIL PROTECTED] wrote:
closed. But more importantly further access to it can be blocked until
appropriate actions are taken which also applies with your example, no? Is
That bit is hard- very hard.
In some sense it seems like the same problem faced by
On Thu, 2007-11-29 at 11:19 -0700, Justin Banks wrote:
Ray Lee wrote
On Nov 29, 2007 9:45 AM, Greg KH [EMAIL PROTECTED] wrote:
Perhaps if you looked at this outside of a file-server scenario, the
problem would be clearer? Anti-malware companies want to check
anything written to
Ray Lee wrote
On Nov 29, 2007 9:45 AM, Greg KH [EMAIL PROTECTED] wrote:
Perhaps if you looked at this outside of a file-server scenario, the
problem would be clearer? Anti-malware companies want to check
anything written to disk on a system, either at write time or blocking
the
On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
On Nov 29, 2007 9:36 AM, Alan Cox [EMAIL PROTECTED] wrote:
closed. But more importantly further access to it can be blocked until
appropriate actions are taken which also applies with your example, no? Is
That bit is hard- very hard.
On Nov 29, 2007 10:56 AM, Jon Masters [EMAIL PROTECTED] wrote:
On Thu, 2007-11-29 at 10:40 -0800, Ray Lee wrote:
On Nov 29, 2007 9:36 AM, Alan Cox [EMAIL PROTECTED] wrote:
closed. But more importantly further access to it can be blocked until
appropriate actions are taken which also
1 - 100 of 150 matches
Mail list logo
