Jump to content

Real-time protection on FILE SECURITY for LINUX server

hungtt
 Share

Recommended Posts

hungtt

hungtt 1

Posted
Posted

HI all,

I installed ESET FILE SECURITY for Linux server version 4.5.7.

But i can not enable Real-time protection when wget test file eicar.om--> file download completed and no warning any alert.

If i scan on-demand manual, it detected and deleted that file.

How can ESET real-time protection on linux server ? ( i use Centos 7 64bit)

Thanks.

Screen Shot 2017-06-18 at 1.50.10 PM.png

Screen Shot 2017-06-18 at 1.50.27 PM.png

Screen Shot 2017-06-18 at 1.50.49 PM.png

Link to comment
Share on other sites
V2TW

V2TW 3

Posted
Posted (edited)

On Linux, you have to enable real-time protection(on-access protection) for specific processes and folder you want to protect. ESET provides you with 2 options to do real-time protection, one is Dazuko kernel module which requires you to download the source code, compile and load the module yourself, generally speaking this is not a very good option for most people. Another one is using preload LIBC library, which doesn't require you to compile anything but you have to specify the processes you want to protect by setting LD_PRELOAD variable before running these processes(generally daemons)

For instance, a typical scenario is to protect Samba (smbd) by modifying its init script (/etc/systemd/system/multi-user.targets.wants/smb.service in CENTOS7) by adding  

LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so

to Environment= configuration(see attached screenshot), then restarting the service: 

systemctl daemon-reload && systemctl restart smb

This way when any user tries to copy infected files from shared folder, it gets detected and cleaned.

Likewise, if you want to protect wget, you have to set LD_PRELOAD everytime you call wget, for instance using wget to download Eicar: 

LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so wget hxxp://www.eicar.org/download/eicar.com

Check in /var/log/messages that eicar file is detected and quarantined.

Besides setting LD_PRELOAD variable, you also have to add the directories you want to monitor under [pac] ctl_intl in esets.cfg (I can see you already did it using the web interface Agent PAC). It's not necessary to set the one in Agent DAC if you're not using the Dazuko module.

Another option is to put LD_PRELOAD in /etc/ld.so.preload so that all processes are monitored globally on boot, but there might be a significant impact on performance and stability of the system according to the docs. Interestingly NOD32 for Linux Desktop uses /etc/ld.so.preload.

2017-06-20_11-28-28.png

Edited by V2TW
Link to comment
Share on other sites
  • 2 months later...
macros

macros 1

Posted
Posted
On 20/6/2017 at 10:45 AM, V2TW said:

On Linux, you have to enable real-time protection(on-access protection) for specific processes and folder you want to protect. ESET provides you with 2 options to do real-time protection, one is Dazuko kernel module which requires you to download the source code, compile and load the module yourself, generally speaking this is not a very good option for most people. Another one is using preload LIBC library, which doesn't require you to compile anything but you have to specify the processes you want to protect by setting LD_PRELOAD variable before running these processes(generally daemons)

For instance, a typical scenario is to protect Samba (smbd) by modifying its init script (/etc/systemd/system/multi-user.targets.wants/smb.service in CENTOS7) by adding  


LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so

to Environment= configuration(see attached screenshot), then restarting the service: 


systemctl daemon-reload && systemctl restart smb

This way when any user tries to copy infected files from shared folder, it gets detected and cleaned.

Likewise, if you want to protect wget, you have to set LD_PRELOAD everytime you call wget, for instance using wget to download Eicar: 


LD_PRELOAD=/opt/eset/esets/lib64/libesets_pac.so wget hxxp://www.eicar.org/download/eicar.com

Check in /var/log/messages that eicar file is detected and quarantined.

Besides setting LD_PRELOAD variable, you also have to add the directories you want to monitor under [pac] ctl_intl in esets.cfg (I can see you already did it using the web interface Agent PAC). It's not necessary to set the one in Agent DAC if you're not using the Dazuko module.

Another option is to put LD_PRELOAD in /etc/ld.so.preload so that all processes are monitored globally on boot, but there might be a significant impact on performance and stability of the system according to the docs. Interestingly NOD32 for Linux Desktop uses /etc/ld.so.preload.

2017-06-20_11-28-28.png

Hello,

great tutorial,

i want to ask, how about server that not use samba?

we want to protect our web server that have folder for web content and we want eset real-time protect it.

 

thank you

 

Link to comment
Share on other sites
  • 3 weeks later...
bpt

bpt 0

Posted
Posted

Hi Macros,

have you found a solution?
I want to do on-access scan (open, create, exec) on the /home (without smb or nfs, only filesystem) and i dont find a solution.

 

Thanks.

Link to comment
Share on other sites
AConstantin

AConstantin 0

Posted
Posted

Hi there,

On the latest version (4.5.7) real time protection on Linux systems, can be achieved by:

- Systemwide pre loading the scan library:
update or create /etc/ld.so.preload and add the following line:
/opt/eset/esets/$LIB/libesets_pac.so

- [pac] section adjustment in /etc/opt/eset/esets/esets.cfg  or into the WWWI interface
ctl_incl="/" # All filesystems scanned on access

If you do not want all of the filesystems to be scanned, you can specify the one you want in extenso (e.g. ctl_incl=/etc:/home:/lib:/var:/tmp:/usr)

Then in the wwwi interface you should be able to see statistics for the on-access scanning.

You can also test if this is really working, by transferring an "malicious" file or create one like the eicar file (https://en.wikipedia.org/wiki/EICAR_test_file)

For me, this is working correctly and system wide performance is very good, if you test this I would appreciate a feedback on the system performance wise.

Cheers.
Alin

Link to comment
Share on other sites
  • 2 weeks later...
hungtt

hungtt 1

Posted
  • Author
Posted
On 9/19/2017 at 9:20 PM, AConstantin said:

Hi there,

On the latest version (4.5.7) real time protection on Linux systems, can be achieved by:

- Systemwide pre loading the scan library:
update or create /etc/ld.so.preload and add the following line:
/opt/eset/esets/$LIB/libesets_pac.so

- [pac] section adjustment in /etc/opt/eset/esets/esets.cfg  or into the WWWI interface
ctl_incl="/" # All filesystems scanned on access

If you do not want all of the filesystems to be scanned, you can specify the one you want in extenso (e.g. ctl_incl=/etc:/home:/lib:/var:/tmp:/usr)

Then in the wwwi interface you should be able to see statistics for the on-access scanning.

You can also test if this is really working, by transferring an "malicious" file or create one like the eicar file (https://en.wikipedia.org/wiki/EICAR_test_file)

For me, this is working correctly and system wide performance is very good, if you test this I would appreciate a feedback on the system performance wise.

Cheers.
Alin

Thanks your information.

But when i config below your information , my server alert : 

esets_daemon: ERROR: ld.so: object '/opt/eset/esets/lib64/libesets_pac.so' from /etc/ld.so.preload cannot be preloaded: ignored.

My server is : centos 7 64bit

 #cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...