Jump to content

The CORRECT way to use the on-access scanner (libesets_pac)

Recommended Posts

I just got bitten by this, and some research suggests that I'm not alone, so for everyone else's benefit...


The default configuration for NOD32 is to add the on-access scanner library, libesets_pac.so, to /etc/ld.so.preload.


This is extremely bad practice, and actually contradicts ESET's own advice, since it replaces libc fopen() et al calls on the entire system, potentially causing havoc.


That is not how the scanner is meant to be used.


In my case, GNU make mysteriously stopped working. Its processes became defunct. I couldn't understand why, until I changed the parallel jobs from 5 to 1, and suddenly it worked. That wouldn't make any sense unless libc had just miraculously forgotten how to access shared memory. The final clue came when I examined various system logs, and discovered prelink complaining that my entire system was now linked to libesets_pac.so, and thus couldn't be prelinked. Imagine my surprise.


The solution is simple. You need to completely remove the reference to libesets_pac.so from /etc/ld.so.preload, then reboot. No further repair is required, since the modifications introduced by libesets_pac.so were only in RAM, not on disk, and were therefore lost by rebooting.


Strictly speaking, there shouldn't be anything in that file at all, unless you're a developer engaging in some pretty hackish debugging, preferably on a VM that you can restore from a snapshot in an instant, when it inevitably bricks. No regular Linux desktop, and certainly no production server, should ever be hijacking libc. Ironically I'd describe that as malware behaviour.


From that point on, all the mysterious issues you've been scratching your head over, since installing NOD32, will be resolved.


But that doesn't mean you've lost on-access scanning, it just means that it's (quite rightly) no longer system-wide. The only time on-access scanning actually makes sense anyway is when untrusted objects are introduced to the system from outside (i.e. downloaded or copied from removable media), since everything else was either created locally or is an immutable system component from a trusted source, all of which has already been audited by a full system scan (right?).


Specifically, this means that you only need to attach libesets_pac.so to internet-facing applications and services (using wrappers), and file managers accessing removable media. Everything else can be left untouched.

LD_PRELOAD=/opt/eset/esets/lib/libesets_pac.so /opt/firefox/firefox-bin



Edited by Slated
Link to comment
Share on other sites

 I did an installation on Slackware64 and the /etc/ld.so.preload is populate with the same default preloading.  However, you can NOT simply comment out the information, but must remove it from the file, otherwise you'll get warnings. 

If running Samba for file sharing, especially in a home LAN environment, the link about ESET's own advice posted in the above comment helped me place a scan on all files that were being "shared" from Samba users.  Read Section 5 for instructions and tips.

Edited by BrianA_MN
update information left earlier
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...