Jump to content

ESET scan never completes due to following junctions (soft links)


Justyn
 Share

Recommended Posts

Installed product: ESET Endpoint Security

Product version: 8.1.2037.2

Operating system: Windows 10 (21H1) (OS Build 19043.1320)

I'm having an issue where scans never complete on workstations with Docker Engine for Windows installed (the underlying component of Docker Desktop).  From what I can see, ESET is following junction (soft link) directories and thus ends up scanning the same files multiple times.

From https://docs.microsoft.com/en-us/windows/win32/fileio/hard-links-and-junctions:

Quote

Junctions

A junction (also called a soft link) differs from a hard link in that the storage objects it references are separate directories, and a junction can link directories located on different local volumes on the same computer. Otherwise, junctions operate identically to hard links. Junctions are implemented through reparse points.

Assuming the same conditions in the Hard Links section, the following references are permitted as junctions:

  • C:\dira linked to C:\dirb\dirc
  • C:\dirx linked to D:\diry

Junctions are what Docker uses to implement a layered filesystem.  Here's an example of a junction within a docker layer for the official Microsoft image "mcr.microsoft.com/windows/servercore:ltsc2019":

C:\ProgramData\docker\windowsfilter\095228c633e3bbbda1a54b3aa0b2defbc89aa883e8553b1e5081fb29583a6e46\Files>dir /a
 Volume in drive C is OS
 Volume Serial Number is 2E03-5E67

 Directory of C:\ProgramData\docker\windowsfilter\095228c633e3bbbda1a54b3aa0b2defbc89aa883e8553b1e5081fb29583a6e46\Files

2021-11-03  04:33 PM    <DIR>          .
2021-11-03  04:33 PM    <DIR>          ..
2021-11-03  04:30 PM    <DIR>          Boot
2021-11-03  04:08 PM           408,826 bootmgr
2018-09-14  11:09 PM               (1) BOOTNXT
2020-05-06  09:10 PM    <JUNCTION>     Documents and Settings [C:\Users]
2020-05-06  08:48 PM           (5,510) License.txt
2021-11-03  11:32 PM    <DIR>          Program Files
2021-11-03  04:30 PM    <DIR>          Program Files (x86)
2021-11-03  11:32 PM    <DIR>          ProgramData
2021-11-03  04:33 PM    <DIR>          Users
2021-11-03  04:33 PM    <DIR>          Windows
               3 File(s)        414,337 bytes
               9 Dir(s)  658,207,408,128 bytes free

The problem here is that ESET scans the entire "C:\Users" directory twice.  Once as it encounters "C:\Users" directly and a second time as it encounters "C:\ProgramData\docker\windowsfilter\095228c633e3bbbda1a54b3aa0b2defbc89aa883e8553b1e5081fb29583a6e46\Files\Document and Settings".  And if there are multiple layers with a similar junction, then it potentially scans the same directory again and again for each layer that has an junction (soft link) to it.

How do we stop ESET from scanning the same directory over and over, when once is all that is required?  For instance, is there a way to configure ESET to not follow junctions (soft links)?

Link to comment
Share on other sites

  • Administrators

It is not possible to not follow symbolic links or junctions. However, thanks to the local cache repeated scanning of files should be quick.

Link to comment
Share on other sites

Sorry, I don't understand your response.  I don't want ESET to follow symbolic links or junctions, but I'm reporting that it is. I have scan logs that confirm it.  And the scan is not quick, it never ends after more than week of running in the background. 

If you're trying to imply ESET shouldn't be following junctions, then are you confirming this behaviour of following junctions that I am seeing is a bug in ESET?

Link to comment
Share on other sites

  • Administrators
10 minutes ago, Justyn said:

Sorry, I don't understand your response.  I don't want ESET to follow symbolic links or junctions, but I'm reporting that it is.

What I wrote is that it is not possible. The scanner always follows symlinks and junctions. I assume that adding the junction to the performance exclusion list should help.

Link to comment
Share on other sites

The junctions are based on docker images for which I am not the maintainer and could change over time.  And any new images downloaded could potential have more.  Thus, it is a potentially ever changing list.  On top of that, I'm not the ESET administrator in my company, thus don't have direct access to exclusion lists.

Therefore, what I am hearing is that ESET may not be compatible with Windows-based containers on Docker Engine, and thus also Docker Desktop.  As more developers adopt docker for development on their workstations and run into this problem, what is your suggestion to them?

Link to comment
Share on other sites

  • Administrators

I'd recommend raising a support ticket then. Not following symbol links is not supported and the only option that we can suggest now is using performance exclusions.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...