Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface foron access scanning

From: Helge Hafting
Date: Tue Aug 05 2008 - 07:21:35 EST

Next message: KOSAKI Motohiro: "Re: Race condition between putback_lru_page and mem_cgroup_move_list"
Previous message: Andrea Righi: "Re: Too many I/O controller patches"
In reply to: tvrtko . ursulin: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for onaccess scanning"
Next in thread: Greg KH: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfacefor on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Greg KH wrote:

I don't see anything in the list above that make this a requirement that
the code to do this be placed within the kernel.

What is wrong with doing it in glibc or some other system-wide library
(LD_PRELOAD hooks, etc.)?

A linux virus would trivially get around that by doing its own syscalls
instead of using glibc. (It might still link dynamically to glibc so
you don't get suspicious, but won' actually use it when doing bad stuff.)

Helge Hafting
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: KOSAKI Motohiro: "Re: Race condition between putback_lru_page and mem_cgroup_move_list"
Previous message: Andrea Righi: "Re: Too many I/O controller patches"
In reply to: tvrtko . ursulin: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface for onaccess scanning"
Next in thread: Greg KH: "Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interfacefor on access scanning"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]