NOD32 Antivirus for Linux Not Scanning New Files

[Techniker 0]

Hi everyone,

I recently purchased a license for ESET NOD32 and successfully installed the product on my Linux desktop. It's a great product and has worked wonderfully so far with only one exception: The real-time file scanner does not appear to be scanning new files.

I have determined this by turning on "Advanced Mode" and navigating to "Protection Status" > "Statistics" > "Real-time file system protection". Scanned objects incremented from 86 to 98 and yet I have created 40+ new files on the system. Another piece of relevant information here is that this directory was a shared mount (it's a file share) and the files were physically created on another workstation.

From the documentation and help text, I was under the impression that NOD32 would scan all newly created files, is that not the case? Any idea what's going on and how I can fix this?

Thanks in advance,

Techniker

[Marcos 4,606]

There is no such setting to scan files on network drives in the real-time protection setup:

Even on Windows scanning of network drives is disabled by default since it may cause various performance and detection issues and if files are modified on the remote machine, such change cannot be detected and malware might not be detected.

ESET indeed scans local files that are accessed, opened or executed. Also newly created files are scanned with advanced heuristics.

[Techniker 0]

Hi Marcos, thank you for the response. I'm glad you're working on the weekend! 😃

Just to clarify, it's not a network drive from the local Linux machine's point of view. From the local machine that's running ESET, it's not even a CIFS (SMB) or NFS share. The local machine has direct access as it is simply local storage from ESET's point of view. Are you saying that ESET still cannot detect new files in this situation if they are created by an outside source that is using that as a share?

I'm a little confused by your last statement about advanced heuristics. I've noticed that is disabled by default under real-time protection, will enabling make this work? (Are there any configuration options to make this work?)

What about ESET File Security for Linux? Does that monitor for newly created files from network shares? I would hope so since that's targeted toward Linux servers for businesses but I just want to confirm.

Alternatively, I could simply write a script to monitor for file changes and have that script manually execute a scan on those files but I would rather rely on the ESET product instead.

Thanks in advance!

[Marcos 4,606]

I've tested copying eicar to a shared folder on Linux from another machine and it was immediately detected and blocked by real-time protection:

03.05.2020 17:20:03    Preload access protection    file    /home/admin/share/eicar.com    Eicar test file    cleaned by deleting    nobody    Event occurred on a new file created by the application: /usr/sbin/smbd (C93B783832242CBACEF79DB64E8E1A4F2434D703).

 

[Techniker 0]

1 hour ago, Marcos said:

I've tested copying eicar to a shared folder on Linux from another machine and it was immediately detected and blocked by real-time protection:

03.05.2020 17:20:03    Preload access protection    file    /home/admin/share/eicar.com    Eicar test file    cleaned by deleting    nobody    Event occurred on a new file created by the application: /usr/sbin/smbd (C93B783832242CBACEF79DB64E8E1A4F2434D703).

 

Strange. I wonder if I have more core problem then. I do 

wget hxxp://www.eicar.org/download/eicar.com ./

in both my home directory as the local user and in /etc/ and ESET doesn't make a sound. Same when I do it from the share on /mnt/ on another machine. Where should I troubleshoot next?

Does ESET for Linux make use of inotify? I have a rather large directory. Do I need to up the max_user_watches?

Not sure if this is relevant or not, but I do get an error in the logs for "child proess mac terminated with return code 127".

Thanks again for your help.

Edit: Just up'd max_user_watches. No luck.

Edited May 3, 2020 by Techniker

[Marcos 4,606]

Hard to say what could be wrong. I'd recommend raising a support ticket with your local ESET distributor.

[Techniker 0]

Thanks, Marcos. I've opened up Case #397137 - "NOD32 Antivirus for Linux Not Scanning New Files". I will let you know what I find out.

 

[Nightowl 183]

Can you restore the AV settings back to default ?

[Techniker 0]

Hi Nightowl,

They were never changed from the default. Thanks though!

It's interesting that it does seem to scan certain files; e.g. whenever I run locate or wget, it scans the binaries again as I access them. It just doesn't scan the ones I need (mounted under /mnt). 

 

[Nightowl 183]

17 hours ago, Techniker said:

Hi Nightowl,

They were never changed from the default. Thanks though!

It's interesting that it does seem to scan certain files; e.g. whenever I run locate or wget, it scans the binaries again as I access them. It just doesn't scan the ones I need (mounted under /mnt). 

 

It could be denied by AppArmor , is /mnt protected by AppArmor?

If yes then ESET cannot access it as they are not configured to work along eachother.