KarelD 0 Posted April 5, 2017 Share Posted April 5, 2017 (edited) Hi, I am using ESET on a RHEL7 machine. The on demand scan is working. Since the machine is used as an sftp server, I would like to use the on access scan when a new file is added to a specific directory. In the esets.cfg file I specified the action (create) and directory in [pac]. In het sshd.service file, the environment=LD_PRELOAD=.../libesets_pac.so is defined. This environment is loaded for sshd. However, the on access scan seems not te be working according to the stats.onaccess file. I tried to upload the EICAR test file and it's not detected (~ no scan performed). Did anyone had the same issues or any idea on what can be wrong with my configuration? Kind regards Edited April 12, 2017 by KarelD Link to comment Share on other sites More sharing options...
KarelD 0 Posted April 12, 2017 Author Share Posted April 12, 2017 Some updates and more information: We created a sftp-server. A user is able to upload files over sftp. When a file is uploaded to a certain directory, it must be scanned 'on access'. As I mentioned in my previous post, we did a preload for the libeset_pac.so library when the ssh daemon in started. We changed the way we do this. First is was with the environment parameter, now we change ExecStart=/usr/sbin/sshd $OPTIONS into ExecStart=/bin/bash -c "LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so /usr/sbin/sshd $OPTIONS" We can see that the library is preloaded: lsof -p <pid>: sshd <pid> root mem REG 253,0 318792 555738 /opt/eset/esets/lib64/libesets_pac.so In the configuration file of eset, the actions and directory for [pac] are set. However, the on access scan is still not performed. When performing an strace on the pid of sshd (there are multiple, but in some of the children we can find this): stat("/opt/eset/esets/sbin/esets_daemon", {st_mode=S_IFREG|0755, st_size=1446464, ...}) = 0 shmget(0x32009ce1, 0, 0) = -1 EACCES (Permission denied) It seems like information is requested about the esets daemon, and some shared memory is accessed, but permission to this shared memory is denied. When looking at the shared memory segments: ------ Shared Memory Segments -------- key shmid owner perms bytes nattch status 0x32009ce1 1671168 root 644 512 2 0x0113beff 1212417 root 600 1000 7 ------ Shared Memory Creator/Last-op PIDs -------- shmid owner cpid lpid 1671168 root 32011 32013 1212417 root 20140 20140 and 32011 is the pid of the eset daemon. root 32011 1 0 16:08 ? 00:00:00 /opt/eset/esets/sbin/esets_daemon To conclude, we think that the libesets_pac.so library is loaded correctly, and when a call to open() is made, the function in this library is used. To perform the on access scan the ssh daemon process tries to read from a certain shared memory from the esets daemon, but is not allowed. Following that the scan is not performed. We checked the namespaces of the sshd and eset and they are both the same. Does anyone has any idea what can be wrong? Or any suggestions for additional tests? Thank you in advance for your reply. Link to comment Share on other sites More sharing options...
ESET Staff MartinK 383 Posted April 18, 2017 ESET Staff Share Posted April 18, 2017 On 12. 4. 2017 at 9:21 AM, KarelD said: Does anyone has any idea what can be wrong? Or any suggestions for additional tests? Just guessing but is SELinux enabled on this machine? If I recall correctly, SELinux-enabled systems are not supported by this product. I would recommend to check audit logs or test functionality with SELinux switched into permissive mode in case it was enabled previously (in enforcing mode). Another possibility is that sshd is running under user account, that is for some reason not able to access mentioned shared memory. Is SSHD running with root privileges? Link to comment Share on other sites More sharing options...
Recommended Posts