Justyn 0 Posted November 16, 2021 Posted November 16, 2021 Installed product: ESET Endpoint Security Product version: 8.1.2037.2 Operating system: Windows 10 (21H1) (OS Build 19043.1320) I'm having an issue where scans never complete on workstations with Docker Engine for Windows installed (the underlying component of Docker Desktop). From what I can see, ESET is following junction (soft link) directories and thus ends up scanning the same files multiple times. From https://docs.microsoft.com/en-us/windows/win32/fileio/hard-links-and-junctions: Quote Junctions A junction (also called a soft link) differs from a hard link in that the storage objects it references are separate directories, and a junction can link directories located on different local volumes on the same computer. Otherwise, junctions operate identically to hard links. Junctions are implemented through reparse points. Assuming the same conditions in the Hard Links section, the following references are permitted as junctions: C:\dira linked to C:\dirb\dirc C:\dirx linked to D:\diry Junctions are what Docker uses to implement a layered filesystem. Here's an example of a junction within a docker layer for the official Microsoft image "mcr.microsoft.com/windows/servercore:ltsc2019": C:\ProgramData\docker\windowsfilter\095228c633e3bbbda1a54b3aa0b2defbc89aa883e8553b1e5081fb29583a6e46\Files>dir /a Volume in drive C is OS Volume Serial Number is 2E03-5E67 Directory of C:\ProgramData\docker\windowsfilter\095228c633e3bbbda1a54b3aa0b2defbc89aa883e8553b1e5081fb29583a6e46\Files 2021-11-03 04:33 PM <DIR> . 2021-11-03 04:33 PM <DIR> .. 2021-11-03 04:30 PM <DIR> Boot 2021-11-03 04:08 PM 408,826 bootmgr 2018-09-14 11:09 PM (1) BOOTNXT 2020-05-06 09:10 PM <JUNCTION> Documents and Settings [C:\Users] 2020-05-06 08:48 PM (5,510) License.txt 2021-11-03 11:32 PM <DIR> Program Files 2021-11-03 04:30 PM <DIR> Program Files (x86) 2021-11-03 11:32 PM <DIR> ProgramData 2021-11-03 04:33 PM <DIR> Users 2021-11-03 04:33 PM <DIR> Windows 3 File(s) 414,337 bytes 9 Dir(s) 658,207,408,128 bytes free The problem here is that ESET scans the entire "C:\Users" directory twice. Once as it encounters "C:\Users" directly and a second time as it encounters "C:\ProgramData\docker\windowsfilter\095228c633e3bbbda1a54b3aa0b2defbc89aa883e8553b1e5081fb29583a6e46\Files\Document and Settings". And if there are multiple layers with a similar junction, then it potentially scans the same directory again and again for each layer that has an junction (soft link) to it. How do we stop ESET from scanning the same directory over and over, when once is all that is required? For instance, is there a way to configure ESET to not follow junctions (soft links)?
Administrators Marcos 5,469 Posted November 16, 2021 Administrators Posted November 16, 2021 It is not possible to not follow symbolic links or junctions. However, thanks to the local cache repeated scanning of files should be quick.
Justyn 0 Posted November 16, 2021 Author Posted November 16, 2021 Sorry, I don't understand your response. I don't want ESET to follow symbolic links or junctions, but I'm reporting that it is. I have scan logs that confirm it. And the scan is not quick, it never ends after more than week of running in the background. If you're trying to imply ESET shouldn't be following junctions, then are you confirming this behaviour of following junctions that I am seeing is a bug in ESET?
Administrators Marcos 5,469 Posted November 16, 2021 Administrators Posted November 16, 2021 10 minutes ago, Justyn said: Sorry, I don't understand your response. I don't want ESET to follow symbolic links or junctions, but I'm reporting that it is. What I wrote is that it is not possible. The scanner always follows symlinks and junctions. I assume that adding the junction to the performance exclusion list should help.
Justyn 0 Posted November 16, 2021 Author Posted November 16, 2021 The junctions are based on docker images for which I am not the maintainer and could change over time. And any new images downloaded could potential have more. Thus, it is a potentially ever changing list. On top of that, I'm not the ESET administrator in my company, thus don't have direct access to exclusion lists. Therefore, what I am hearing is that ESET may not be compatible with Windows-based containers on Docker Engine, and thus also Docker Desktop. As more developers adopt docker for development on their workstations and run into this problem, what is your suggestion to them?
Administrators Marcos 5,469 Posted November 16, 2021 Administrators Posted November 16, 2021 I'd recommend raising a support ticket then. Not following symbol links is not supported and the only option that we can suggest now is using performance exclusions.
Recommended Posts