Re: [malware-list] TALPA - a threat model? well sorta.

From: douglas . leeder
Date: Fri Aug 15 2008 - 09:18:26 EST

Next message: Gregory Haskins: "[PATCH RT RFC v3] add generalized priority-inheritance interface"
Previous message: Theodore Tso: "Re: [malware-list] [RFC 0/5] [TALPA] Intro toalinuxinterfaceforonaccess scanning"
In reply to: Press, Jonathan: "RE: [malware-list] TALPA - a threat model? well sorta."
Next in thread: Theodore Tso: "Re: [malware-list] TALPA - a threat model? well sorta."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jon Press wrote on 2008-08-15 14:10:21:

> > -----Original Message-----
> > From: malware-list-bounces@xxxxxxxxxxxxxxxx [mailto:malware-list-
> > bounces@xxxxxxxxxxxxxxxx] On Behalf Of Peter Zijlstra
> > Sent: Friday, August 15, 2008 6:37 AM
> > To: Helge Hafting
> > Cc: linux-kernel@xxxxxxxxxxxxxxx; malware-list@xxxxxxxxxxxxxxxx;
> hch@xxxxxxxxxxxxx;
> > andi@xxxxxxxxxxxxxx; viro@xxxxxxxxxxxxxxxxxx;
> alan@xxxxxxxxxxxxxxxxxxx; Arjan van
> > de Ven
> > Subject: Re: [malware-list] TALPA - a threat model? well sorta.
> >
> > On Fri, 2008-08-15 at 12:07 +0200, Helge Hafting wrote:
> > > It seems to me that this "scan on file open" business is the
> > > wrong way to do things - because it reduces performance.
> > >
> > > If you scan on file open, then your security sw is too late and
> > > getting in the way.
>
> The problem is that you have to account for the cases where the malware
> made it onto the system even if you were trying to catch it ahead of
> time. For example:
>
> - Administrator turns off or reduces AV protection for some reason for
> some period of time. It happens all the time.
>
> - New infection makes it onto the machine before the signatures have
> caught up with it. This also happens. There is an ongoing PR race
> among AV vendors about who was faster on the draw to get out signatures
> to detect some new malware. The fact that this race exists reflects
> that reality that there is some window during which new malware will
> make it onto some number of machines before the scanners catch up.
>

Not to mention removable media - it might be old hat, but infected/malware
files can come in on floppies, CDs or USB flash discs careless left on the
pavement outside an office.

--
Douglas Leeder

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Gregory Haskins: "[PATCH RT RFC v3] add generalized priority-inheritance interface"
Previous message: Theodore Tso: "Re: [malware-list] [RFC 0/5] [TALPA] Intro toalinuxinterfaceforonaccess scanning"
In reply to: Press, Jonathan: "RE: [malware-list] TALPA - a threat model? well sorta."
Next in thread: Theodore Tso: "Re: [malware-list] TALPA - a threat model? well sorta."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]