[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#690737: at least on 3.10

On Thu, Aug 29, 2013 at 04:46:41PM -0300, Carlos R. Pasqualini wrote:
> El jue, 29-08-2013 a las 10:31 +0200, Bastian Blank escribió:
> > Also for you the question: What does it bring for our users?
> The possibility to have a more efficient way of having an AV looking on
> the filesystem level for mailware, on our fileservers that runs Debian.

A tool that adds latency to open operations does not really count as
efficient.  You can see the day-to-day resource usage on a typical
MS Windows system.

A scheduled sweep based on modification/change timestamp is much more
efficient and can be done in low usage times.

> Here we are an University on which we have ~2000 end users, using shared
> folders over NFS and Samba on Debian Servers.

We have around 4k users on the faculty alone and we don't deploy
on-access scanning because it would kill the setup.

> > Why does "Skyld AV" fail if it can't actually deny access but only do
> > passive observation?
> With passive observation, you mean to scan for virus in a post-write
> step? if this is your affirmation, i think you are worng: the hole point
> of this type of infrastructures is to prevent the malicious code to been
> written on a (may be shared) partition.

Then fanotify is the wrong tool. fanotify can only do permission checks
on open() and access().  It can't do checks on file store.

Also what is malicious code?
| X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Does nothing and is defined for testing.

| :(){ :|:&};:
Can break a Linux system if no resource limits are in place.

Bastian

-- 
You!  What PLANET is this!
		-- McCoy, "The City on the Edge of Forever", stardate 3134.0
Reply to: