Re: [malware-list] [RFC 0/5] [TALPA] Intro to a linux interface foron access scanning

[Andi Kleen]

"Press, Jonathan" <Jonathan.Press@xxxxxx> writes:
>
> Also...  I was one of the people who brought up the idea of a process
> exclusion when the requirements list was being developed.  I intended it
> as a way that an AV application could exclude specific OTHER processes
> by name (as selected by the AV user)

There's no fixed process name in Linux that cannot be easily faked: 

Use process name -- every process can change that by writing to its own
environment.
Use comm name -- there's a prctl to change that and there can be collisions
Use path name of binary -- breaks with chroot and name spaces. Also existing
binaries can be subverted.
Use inode of binary -- can be faked with fuse and breaks when the binaries
is copied ...
Use dev, inode -- breaks when copying binary and when running on network
file systems without a device node

-Andi

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/