On Tue, 23 Sep 2008 20:08:16 +0200 Jonathan Dumke <[EMAIL PROTECTED]> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > On Thu, 28 Aug 2008 19:47:57 +0300 > > Sami Tikka <[EMAIL PROTECTED]> wrote: > > > >> Frantisek Hrbata kirjoitti 28.8.2008 kello 18.34: > >> > [...] > >>> scanning besides logs or some other output? > >> Probably not. I just asked because F-Secure AV software has always > >> had settings for scan-on-open, scan-on-exec and scan-on-close. > >> Scan-on- close is nice-to-have and I have never heard anyone using > >> just one of scan-on-open or scan-on-exec. > > > > AVG has also options for scanOnOpen, scanOnExec and > > scanOnCloseModified. I think that is because dazuko provides such > > events :). Question is if it is necessary to notify user-space > > scanner which event triggered the scanning at all. > > > > -FH > > In my opinion the scanOnExec option is a completly different to > scanOnOpen, example of my understanding folloes here: > sample cmd: vim ascript.sh > scanOnExec should scan the vim, cause it is execited > scanOnOpen should scan the script, cause it's opend or may be it scans > both vim and the edited file. During exec kernel calls regular file open functions(sys_execve -> do_execve -> open_exec -> ...). So if you want to execute some binary kernel will call open anyway. I think that distinguish open and exec is good just for logging etc. It would be nice to have both events I guess, but for security reasons it is not crucial. I can not imagine situation when you would like to scan only on-open or only on-exec. Open and exec events just go hand in hand and disabling one of them will provide gap for malware to spread. > Just a nother thing. Because the kernel and its interfaces are still > in progress, I think it should be a good idea to encapsulate the > needed api-calls by a dazuko-framework-library. I am not sure what do you mean by this. Dazuko provides same api despite of which method it uses to get needed events(syscalls, lsm, redirfs, dazukofs). > Greets, > Jhony Walldorf > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFI2TCQMGZJvLjMOXERAkcNAKChiFDEnpAzucHIb8JTtkH6ZVPz5wCdEI5k > JKEgfhxvHm9aIYsHZ4cMNgY= > =VVJK > -----END PGP SIGNATURE----- > > > _______________________________________________ > Dazuko-devel mailing list > [email protected] > http://lists.nongnu.org/mailman/listinfo/dazuko-devel _______________________________________________ Dazuko-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/dazuko-devel
