Archived

This topic is now archived and is closed to further replies.

hungtt

Real-time protection on FILE SECURITY for LINUX server

Recommended Posts

HI all,

I installed ESET FILE SECURITY for Linux server version 4.5.7.

But i can not enable Real-time protection when wget test file eicar.om--> file download completed and no warning any alert.

If i scan on-demand manual, it detected and deleted that file.

How can ESET real-time protection on linux server ? ( i use Centos 7 64bit)

Thanks.

Screen Shot 2017-06-18 at 1.50.10 PM.png

Screen Shot 2017-06-18 at 1.50.27 PM.png

Screen Shot 2017-06-18 at 1.50.49 PM.png

Share this post


Link to post
Share on other sites

Hello, anyone can help me this ?

Share this post


Link to post
Share on other sites

On Linux, you have to enable real-time protection(on-access protection) for specific processes and folder you want to protect. ESET provides you with 2 options to do real-time protection, one is Dazuko kernel module which requires you to download the source code, compile and load the module yourself, generally speaking this is not a very good option for most people. Another one is using preload LIBC library, which doesn't require you to compile anything but you have to specify the processes you want to protect by setting LD_PRELOAD variable before running these processes(generally daemons)

For instance, a typical scenario is to protect Samba (smbd) by modifying its init script (/etc/systemd/system/multi-user.targets.wants/smb.service in CENTOS7) by adding 

LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so

to Environment= configuration(see attached screenshot), then restarting the service:

systemctl daemon-reload && systemctl restart smb

This way when any user tries to copy infected files from shared folder, it gets detected and cleaned.

Likewise, if you want to protect wget, you have to set LD_PRELOAD everytime you call wget, for instance using wget to download Eicar:

LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so wget hxxp://www.eicar.org/download/eicar.com

Check in /var/log/messages that eicar file is detected and quarantined.

Besides setting LD_PRELOAD variable, you also have to add the directories you want to monitor under [pac] ctl_intl in esets.cfg (I can see you already did it using the web interface Agent PAC). It's not necessary to set the one in Agent DAC if you're not using the Dazuko module.

Another option is to put LD_PRELOAD in /etc/ld.so.preload so that all processes are monitored globally on boot, but there might be a significant impact on performance and stability of the system according to the docs. Interestingly NOD32 for Linux Desktop uses /etc/ld.so.preload.

2017-06-20_11-28-28.png

Share this post


Link to post
Share on other sites
On 20/6/2017 at 10:45 AM, V2TW said:

On Linux, you have to enable real-time protection(on-access protection) for specific processes and folder you want to protect. ESET provides you with 2 options to do real-time protection, one is Dazuko kernel module which requires you to download the source code, compile and load the module yourself, generally speaking this is not a very good option for most people. Another one is using preload LIBC library, which doesn't require you to compile anything but you have to specify the processes you want to protect by setting LD_PRELOAD variable before running these processes(generally daemons)

For instance, a typical scenario is to protect Samba (smbd) by modifying its init script (/etc/systemd/system/multi-user.targets.wants/smb.service in CENTOS7) by adding 


LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so

to Environment= configuration(see attached screenshot), then restarting the service:


systemctl daemon-reload && systemctl restart smb

This way when any user tries to copy infected files from shared folder, it gets detected and cleaned.

Likewise, if you want to protect wget, you have to set LD_PRELOAD everytime you call wget, for instance using wget to download Eicar:


LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so wget hxxp://www.eicar.org/download/eicar.com

Check in /var/log/messages that eicar file is detected and quarantined.

Besides setting LD_PRELOAD variable, you also have to add the directories you want to monitor under [pac] ctl_intl in esets.cfg (I can see you already did it using the web interface Agent PAC). It's not necessary to set the one in Agent DAC if you're not using the Dazuko module.

Another option is to put LD_PRELOAD in /etc/ld.so.preload so that all processes are monitored globally on boot, but there might be a significant impact on performance and stability of the system according to the docs. Interestingly NOD32 for Linux Desktop uses /etc/ld.so.preload.

2017-06-20_11-28-28.png

Hello,

great tutorial,

i want to ask, how about server that not use samba?

we want to protect our web server that have folder for web content and we want eset real-time protect it.

 

thank you

 

Share this post


Link to post
Share on other sites

Hi Macros,

have you found a solution?
I want to do on-access scan (open, create, exec) on the /home (without smb or nfs, only filesystem) and i dont find a solution.

 

Thanks.

Share this post


Link to post
Share on other sites

Hi there,

On the latest version (4.5.7) real time protection on Linux systems, can be achieved by:

- Systemwide pre loading the scan library:
update or create /etc/ld.so.preload and add the following line:
/opt/eset/esets/$LIB/libesets_pac.so

- [pac] section adjustment in /etc/opt/eset/esets/esets.cfg  or into the WWWI interface
ctl_incl="/" # All filesystems scanned on access

If you do not want all of the filesystems to be scanned, you can specify the one you want in extenso (e.g. ctl_incl=/etc:/home:/lib:/var:/tmp:/usr)

Then in the wwwi interface you should be able to see statistics for the on-access scanning.

You can also test if this is really working, by transferring an "malicious" file or create one like the eicar file (https://en.wikipedia.org/wiki/EICAR_test_file)

For me, this is working correctly and system wide performance is very good, if you test this I would appreciate a feedback on the system performance wise.

Cheers.
Alin

Share this post


Link to post
Share on other sites
On 9/19/2017 at 9:20 PM, AConstantin said:

Hi there,

On the latest version (4.5.7) real time protection on Linux systems, can be achieved by:

- Systemwide pre loading the scan library:
update or create /etc/ld.so.preload and add the following line:
/opt/eset/esets/$LIB/libesets_pac.so

- [pac] section adjustment in /etc/opt/eset/esets/esets.cfg  or into the WWWI interface
ctl_incl="/" # All filesystems scanned on access

If you do not want all of the filesystems to be scanned, you can specify the one you want in extenso (e.g. ctl_incl=/etc:/home:/lib:/var:/tmp:/usr)

Then in the wwwi interface you should be able to see statistics for the on-access scanning.

You can also test if this is really working, by transferring an "malicious" file or create one like the eicar file (https://en.wikipedia.org/wiki/EICAR_test_file)

For me, this is working correctly and system wide performance is very good, if you test this I would appreciate a feedback on the system performance wise.

Cheers.
Alin

Thanks your information.

But when i config below your information , my server alert : 

esets_daemon: ERROR: ld.so: object '/opt/eset/esets/lib64/libesets_pac.so' from /etc/ld.so.preload cannot be preloaded: ignored.

My server is : centos 7 64bit

 #cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.