KarelD
-
Posts
2 -
Joined
-
Last visited
Posts posted by KarelD
-
-
Hi,
I am using ESET on a RHEL7 machine.
The on demand scan is working.
Since the machine is used as an sftp server, I would like to use the on access scan when a new file is added to a specific directory.
In the esets.cfg file I specified the action (create) and directory in [pac].In het sshd.service file, the environment=LD_PRELOAD=.../libesets_pac.so is defined.
This environment is loaded for sshd. However, the on access scan seems not te be working according to the stats.onaccess file.
I tried to upload the EICAR test file and it's not detected (~ no scan performed).Did anyone had the same issues or any idea on what can be wrong with my configuration?
Kind regards
On access scanning RHEL7: not working / shmget: Permission Denied
in ESET Products for Linux Servers
Posted
Some updates and more information:
We created a sftp-server. A user is able to upload files over sftp. When a file is uploaded to a certain directory, it must be scanned 'on access'.
As I mentioned in my previous post, we did a preload for the libeset_pac.so library when the ssh daemon in started. We changed the way we do this. First is was with the environment parameter, now we change
into
We can see that the library is preloaded:
In the configuration file of eset, the actions and directory for [pac] are set. However, the on access scan is still not performed.
When performing an strace on the pid of sshd (there are multiple, but in some of the children we can find this):
It seems like information is requested about the esets daemon, and some shared memory is accessed, but permission to this shared memory is denied.
When looking at the shared memory segments:
and 32011 is the pid of the eset daemon.
To conclude, we think that the libesets_pac.so library is loaded correctly, and when a call to open() is made, the function in this library is used. To perform the on access scan the ssh daemon process tries to read from a certain shared memory from the esets daemon, but is not allowed. Following that the scan is not performed. We checked the namespaces of the sshd and eset and they are both the same.
Does anyone has any idea what can be wrong? Or any suggestions for additional tests?
Thank you in advance for your reply.