KarelD

Some updates and more information: We created a sftp-server. A user is able to upload files over sftp. When a file is uploaded to a certain directory, it must be scanned 'on access'. As I mentioned in my previous post, we did a preload for the libeset_pac.so library when the ssh daemon in started. We changed the way we do this. First is was with the environment parameter, now we change ExecStart=/usr/sbin/sshd $OPTIONS into ExecStart=/bin/bash -c "LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so /usr/sbin/sshd $OPTIONS" We can see that the library is preloaded: lsof -p <pid>: sshd <pid> root mem REG 253,0 318792 555738 /opt/eset/esets/lib64/libesets_pac.so In the configuration file of eset, the actions and directory for [pac] are set. However, the on access scan is still not performed. When performing an strace on the pid of sshd (there are multiple, but in some of the children we can find this): stat("/opt/eset/esets/sbin/esets_daemon", {st_mode=S_IFREG|0755, st_size=1446464, ...}) = 0 shmget(0x32009ce1, 0, 0) = -1 EACCES (Permission denied) It seems like information is requested about the esets daemon, and some shared memory is accessed, but permission to this shared memory is denied. When looking at the shared memory segments: ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x32009ce1 1671168 root 644 512 2 0x0113beff 1212417 root 600 1000 7 ------ Shared Memory Creator/Last-op PIDs -------- shmid owner cpid lpid 1671168 root 32011 32013 1212417 root 20140 20140 and 32011 is the pid of the eset daemon. root 32011 1 0 16:08 ? 00:00:00 /opt/eset/esets/sbin/esets_daemon To conclude, we think that the libesets_pac.so library is loaded correctly, and when a call to open() is made, the function in this library is used. To perform the on access scan the ssh daemon process tries to read from a certain shared memory from the esets daemon, but is not allowed. Following that the scan is not performed. We checked the namespaces of the sshd and eset and they are both the same. Does anyone has any idea what can be wrong? Or any suggestions for additional tests? Thank you in advance for your reply.

Hi, I am using ESET on a RHEL7 machine. The on demand scan is working. Since the machine is used as an sftp server, I would like to use the on access scan when a new file is added to a specific directory. In the esets.cfg file I specified the action (create) and directory in [pac]. In het sshd.service file, the environment=LD_PRELOAD=.../libesets_pac.so is defined. This environment is loaded for sshd. However, the on access scan seems not te be working according to the stats.onaccess file. I tried to upload the EICAR test file and it's not detected (~ no scan performed). Did anyone had the same issues or any idea on what can be wrong with my configuration? Kind regards