re: libmalware.so: Dazuko Linux/BSD On-Access scanning and control

re: libmalware.so: Dazuko Linux/BSD On-Access scanning and control

[7v5w7go9ub0o]

(FYI. Dazuko may have trailblazed some of the issues now under 
discussion re: libmalware.so. It has worked well for me. It used to be 
an LKM, it is now a source patch. It is used in a number of commercial 
products)


<http://dazuko.dnsalias.org/wiki/index.php/Main_Page>

"A Virtual Device Driver to Allow Online File Access Control

A common interface is needed, which allows userland applications to
perform online file access control. Dazuko aims to provide that interface."

FWIW, I'm not associated with Dazuko or Antivir; I've been happily using
Dazuko with AntiVir for a year or so.

1. AntiVir includes numerous Linux signatures as well as Windows. So I
scan both 'ix downloads, as well as the process of compiling new software.

2. Other AntiMalwares are using Dazuko, though many are scanning for 
Windows malware only.

3. The AntiVir/Dazuko combination with full heuristics has blocked
access to clearly dangerous JS scripts in my browser cache.

4. IMHO, what is needed is a Dazuko or libmalware/Integrity database 
link. If an md5 of an executable or script is new or has changed, access 
is blocked 'til a response to a popup is given. Access can be blocked; 
one-time allowed; or permanently allowed, in which case the md5 is updated.

Hope This Helps.

Re: libmalware.so: Dazuko Linux/BSD On-Access scanning and control

[Andi Kleen]

7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> writes:

> (FYI. Dazuko may have trailblazed some of the issues now under
> discussion re: libmalware.so. It has worked well for me.

Against what exactly did it protect you? Please give a concrete example.

-Andi

Re: libmalware.so: Dazuko Linux/BSD On-Access scanning and control

[7v5w7go9ub0o]

Andi Kleen wrote:
> 7v5w7go9ub0o <7v5w7go9ub0o@gmail.com> writes:
> 
>> (FYI. Dazuko may have trailblazed some of the issues now under
>> discussion re: libmalware.so. It has worked well for me.
> 
> Against what exactly did it protect you? Please give a concrete example.
> 
> -Andi
> 

1. This came in a few minutes ago:

Aug 13 14:56:31 tux antivir[6381]: AntiVir ALERT: [EML/FakeLink.F] 
/jail/tbird/root/.thunderbird/0r2957kg.default/Mail/L
ocal Folders/Junk.XXX <<< Contains detection pattern of EML/FakeLink.F 
in EML form

2. I have not retained the logs of "suspicious scripts" in my browser, 
but have come across perhaps 4 blocked scripts within the last month. 
Admittedly at dodgy sites.

XSS attacks are platform independent, and are a significant concern.


Please note that when I say it has worked well for me, I am not saying 
that it has saved my bacon! :-)

1. I am referring to the mechanics of having the Kernel/userland app 
stop processing when it finds a malware signature or heuristic detection.

2. Am also referring to the totally manageable (IMHO) overhead.

I've mentioned my experience with Dazuko/antivir only because it may be 
useful to the ongoing discussion about the nature of libmalware.so.

3. I am frankly waiting for a bug to get into my upstream distribution 
chain - through a hijacking or some wonderful DNS prank - at which point 
I ..hope.. a signature or heuristic will block my root-enabled make install.

4. Again, my hope for libmalware.so/dazuko is a realtime 
integrity-management link.