In-Reply-To: <20080818171500.78590801@lxorguk.ukuu.org.uk>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux-kernel <linux-kernel@vger.kernel.org>, malware-list@lists.printk.net
Subject: Re: [malware-list] scanner interface proposal was: [TALPA] Intro	to a linux
 interface for on access scanning
MIME-Version: 1.0
From: douglas.leeder@sophos.com
Date: Mon, 18 Aug 2008 17:54:34 +0100
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20080818165432.4E51C3F608D@pmx1.sophos.com>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1402
Lines: 42

malware-list-bounces@dmesg.printk.net wrote on 2008-08-18 17:15:00:

> > On async notification we fire a message to everything that registered
> > 'simultaneously.' On blocking we fire a message to everything in
> > priority order and block until we get a response.  That response 
should
> > be of the form ALLOW/DENY and should include "mark result"/"don't mark
> > result."
> 
> No can do - you get stuck with recursive events with the virus checker
> trying to stop the indexer from indexing a worm.

And the opposite approach can't work because the AV scanner + the index 
scanner 
need the HSM to do its work before they can scan.

I guess the only way it could work is to have levels:
e.g.
HSM agent is Level 1
AV scanner is Level 2
Index scanner is Level 3

When you register at Level N, you are excluded from all blocking/scanning 
at Levels >= N,
but your ops are still passed to Level < N.

An example is a little hard to craft because HSM and indexing catch 
different operations. :-)
 
-- 
Douglas Leeder

Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon,
OX14 3YP, United Kingdom.

Company Reg No 2096520. VAT Reg No GB 348 3873 20.

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/