Nico Kadel-Garcia
2007-Apr-04 15:42 UTC
[Xen-users] Anti-virus for use in para-virtualized Xen
I''ve been looking at anti-virus software for Xen use on Linux systems, on both Dom0 and DomU, in industrial environments. Reviewing documentation on various packages seems to show that all the commercial ones insist on sticking kernel modules into a limited set of standard known kernels. This of course creates some serious risks until the anti-virus packages are developed in and tested in Xen environments, especially for para-virtualized environments. Has anyone out there been using any such commercial packages? Or am I stuck with tools like ClamAV to avoid complicating my life with unfortunate kernel interactions? Nico _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Petersson, Mats
2007-Apr-04 15:45 UTC
RE: [Xen-users] Anti-virus for use in para-virtualized Xen
> -----Original Message----- > From: xen-users-bounces@lists.xensource.com > [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of > Nico Kadel-Garcia > Sent: 04 April 2007 16:42 > To: xen-users@lists.xensource.com > Subject: [Xen-users] Anti-virus for use in para-virtualized Xen > > > I''ve been looking at anti-virus software for Xen use on Linux > systems, > on both Dom0 and DomU, in industrial environments. Reviewing > documentation on various packages seems to show that all the > commercial > ones insist on sticking kernel modules into a limited set of standard > known kernels. This of course creates some serious risks until the > anti-virus packages are developed in and tested in Xen environments, > especially for para-virtualized environments.I presume the reason they have a standard set of kernels is that they "meddle" with the kernel and don''t supply source-code, which means that a Xenified kernel doesn''t match the expected kernel layout, and thus can''t use the module? [And it''s understandable from some aspects that the AV guys don''t really want the V-guys to see the source-code...]> > Has anyone out there been using any such commercial packages? Or am I > stuck with tools like ClamAV to avoid complicating my life with > unfortunate kernel interactions?Possibly stuck... -- Mats> > Nico > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mark Greenbank
2007-Apr-04 16:41 UTC
Re: [Xen-users] Anti-virus for use in para-virtualized Xen
On 4/4/07, Petersson, Mats <Mats.Petersson@amd.com> wrote:> > > > > -----Original Message----- > > From: xen-users-bounces@lists.xensource.com > > [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of > > Nico Kadel-Garcia > > Sent: 04 April 2007 16:42 > > To: xen-users@lists.xensource.com > > Subject: [Xen-users] Anti-virus for use in para-virtualized Xen > > > > > > I''ve been looking at anti-virus software for Xen use on Linux > > systems, > > on both Dom0 and DomU, in industrial environments. Reviewing > > documentation on various packages seems to show that all the > > commercial > > ones insist on sticking kernel modules into a limited set of standard > > known kernels. This of course creates some serious risks until the > > anti-virus packages are developed in and tested in Xen environments, > > especially for para-virtualized environments. > > I presume the reason they have a standard set of kernels is that they > "meddle" with the kernel and don''t supply source-code, which means that > a Xenified kernel doesn''t match the expected kernel layout, and thus > can''t use the module? [And it''s understandable from some aspects that > the AV guys don''t really want the V-guys to see the source-code...]This is a serious limitation with the way the kernel is architected -- a defined kernel interface (e.g., DDI/DKI for both function calls and structures) and loadable modules/drivers are not encouraged, which means that there is a proliferation of customized kernels out there. This really limits the utility of the Linux kernel in a production envronment. I myself am stuck at Core 5 for my (production) laptop since I''m worried that upgrading to the latest+greatest disto will break my VMWare installation and various other components that depend on interfacing with the kernel. I''d love to move to Core 6 but I don''t have enough pain to live with having to hack the VMWare modules. With Core 7 around the corner, I suspect that my motivation to hack will increase :) Mark _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Nico Kadel-Garcia
2007-Apr-04 16:48 UTC
Re: [Xen-users] Anti-virus for use in para-virtualized Xen
Petersson, Mats wrote:> > > >> -----Original Message----- >> From: xen-users-bounces@lists.xensource.com >> [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of >> Nico Kadel-Garcia >> Sent: 04 April 2007 16:42 >> To: xen-users@lists.xensource.com >> Subject: [Xen-users] Anti-virus for use in para-virtualized Xen >> >> >> I''ve been looking at anti-virus software for Xen use on Linux >> systems, >> on both Dom0 and DomU, in industrial environments. Reviewing >> documentation on various packages seems to show that all the >> commercial >> ones insist on sticking kernel modules into a limited set of standard >> known kernels. This of course creates some serious risks until the >> anti-virus packages are developed in and tested in Xen environments, >> especially for para-virtualized environments. >> > > I presume the reason they have a standard set of kernels is that they > "meddle" with the kernel and don''t supply source-code, which means that > a Xenified kernel doesn''t match the expected kernel layout, and thus > can''t use the module? [And it''s understandable from some aspects that > the AV guys don''t really want the V-guys to see the source-code...] > >> Has anyone out there been using any such commercial packages? Or am I >> stuck with tools like ClamAV to avoid complicating my life with >> unfortunate kernel interactions? >> > > Possibly stuck... >Well, yes, that''s all logical presumption, matching my logical presumptions. But you see, the world is not logical. A cautious designer would recognize that this is a risk and leave modules available for operating in userland without futzing with the kernel. A paranoid designer would insist that control of the kernel is mandatory to protect the anti-virus software itself: I''m looking for real experience with the stuff to make informed opinions, not try to spin plausible scenaries. (Note: it''s not you I''m cranky at, it''s vendors who can''t spell "userland".) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Petersson, Mats
2007-Apr-04 16:52 UTC
RE: [Xen-users] Anti-virus for use in para-virtualized Xen
> -----Original Message----- > From: xen-users-bounces@lists.xensource.com > [mailto:xen-users-bounces@lists.xensource.com] On Behalf Of > Mark Greenbank > Sent: 04 April 2007 17:42 > To: xen-users@lists.xensource.com > Subject: Re: [Xen-users] Anti-virus for use in para-virtualized Xen > > > On 4/4/07, Petersson, Mats <Mats.Petersson@amd.com> wrote: > > > > > -----Original Message----- > > From: xen-users-bounces@lists.xensource.com > > [mailto: xen-users-bounces@lists.xensource.com > <mailto:xen-users-bounces@lists.xensource.com> ] On Behalf Of > > Nico Kadel-Garcia > > Sent: 04 April 2007 16:42 > > To: xen-users@lists.xensource.com > > Subject: [Xen-users] Anti-virus for use in > para-virtualized Xen > > > > > > I''ve been looking at anti-virus software for Xen use on Linux > > systems, > > on both Dom0 and DomU, in industrial environments. Reviewing > > documentation on various packages seems to show that all the > > commercial > > ones insist on sticking kernel modules into a limited > set of standard > > known kernels. This of course creates some serious > risks until the > > anti-virus packages are developed in and tested in > Xen environments, > > especially for para-virtualized environments. > > I presume the reason they have a standard set of > kernels is that they > "meddle" with the kernel and don''t supply source-code, > which means that > a Xenified kernel doesn''t match the expected kernel > layout, and thus > can''t use the module? [And it''s understandable from > some aspects that > the AV guys don''t really want the V-guys to see the > source-code...] > > > This is a serious limitation with the way the kernel is > architected -- a defined kernel interface (e.g., DDI/DKI for > both function calls and structures) and loadable > modules/drivers are not encouraged, which means that there is > a proliferation of customized kernels out there. This really > limits the utility of the Linux kernel in a production > envronment. I myself am stuck at Core 5 for my (production) > laptop since I''m worried that upgrading to the > latest+greatest disto will break my VMWare installation and > various other components that depend on interfacing with the > kernel. I''d love to move to Core 6 but I don''t have enough > pain to live with having to hack the VMWare modules. With > Core 7 around the corner, I suspect that my motivation to > hack will increase :)I can''t say that I disagree. There is a problem with this in many OS''s tho'', not just Linux. Windows certainly have problems with the interface for AV-software in the sense that AV-software wants to hook into things that don''t have official hooks. This is not so bad when you only have one hooker(sic), as the software can "just" modify the system-call table. But what happens when it''s already been modified by someone software that got loaded first... :-( The real problem here is that AV-software (and other software that interfaces with what you are allowed to do and what you aren''t) can sometimes need to use things that the publicly available interface doesn''t supply. Changing the interface for future versions is great, but there are big problems with changing EXISTING installations such that it''s both backwards compatible and support the new API at the same time. [I''m not an EXPERT on AV-software, but I know a little bit about how it works and what they (try to) do in it - and there''s of course MANY different varieties available]. -- Mats> > Mark > > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Mark Greenbank
2007-Apr-05 01:04 UTC
Re: [Xen-users] Anti-virus for use in para-virtualized Xen
On 4/4/07, Petersson, Mats <Mats.Petersson@amd.com> wrote:> > > > > This is a serious limitation with the way the kernel is > > architected -- a defined kernel interface (e.g., DDI/DKI for > > both function calls and structures) and loadable > > modules/drivers are not encouraged, which means that there is > > a proliferation of customized kernels out there. This really > > limits the utility of the Linux kernel in a production > > envronment. I myself am stuck at Core 5 for my (production) > > laptop since I''m worried that upgrading to the > > latest+greatest disto will break my VMWare installation and > > various other components that depend on interfacing with the > > kernel. I''d love to move to Core 6 but I don''t have enough > > pain to live with having to hack the VMWare modules. With > > Core 7 around the corner, I suspect that my motivation to > > hack will increase :) > > I can''t say that I disagree.Just after I wrote about the problem I did a yum update --- then spent the next hour rebuilding VMWare modules :( Should have just stayed quiet and maybe the kernel gods wouldn''t have been angry. Mark _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users