Jump to content

EICAR not detected when file is stored, only when it's opened ?


Recommended Posts

Using ESET SERVER SECURITY LINUX 8, i've tested a small upload (trough NFSv4) of a EICAR file (named 'eicar.com').

File was stored without any problems. I've then tried to show it's contents (cat eicar.com) but an error message has been trown and file was deleted (bi the real time protection).

Question is: how can a malicious file bypass the real time protection and be stored on the disk?

Thanks.

Link to comment
Share on other sites

  • Administrators

Unfortunately it's not clear to me what you mean by "upload". Please raise a support ticket since this cannot be answered without further information.

Link to comment
Share on other sites

To be clear:

- if NFS server is protected

- but clients, where NFS is mounted, is not

infected files uploaded on the clients will be stored and not cleaned on the server.

Is this correct?

Link to comment
Share on other sites

What i mean by "upload" is;

- machine A, NFS client --> copy (upload) the infected file on the NFS mount.

- machine B, NFS server, protected by EFS --> file is stored on disk, not scanned or cleaned.

- machine B: try to open the file directly on the server, not the client --> file is cleaned (deleted).

Link to comment
Share on other sites

@Marcos I've opened a support ticket (french support) that answered me this:

Quote

Triggering detection on EFS is done during file execution and not at disk recording

which is obviously no true for a real time scanner...otherwise all infected could be stored.

Can i open a support ticket on "International/English" support as French support seems not reliable?

Link to comment
Share on other sites

  • Administrators

Please see the reply from kurco:

Currently we are not able to catch nfs file operations from a client.

Link to comment
Share on other sites

  • ESET Staff

Hi acfr,

according to you description of upload, that is exactly that know issue we are pointing in online help. Server Security development is already tracking this issue.

Regards,

Peter

Link to comment
Share on other sites

Ok thanks @Marcos and @kurco so currently, there is no way I can (real time) protect my NFS server?

Only wait and hope it will be fixed, someday? :unsure:

Regards,

Carlos

Link to comment
Share on other sites

  • ESET Staff

Hi acfr,

sadly currently, using only Server Security, it's not possible. Maybe some additional file monitoring on nfs shared folder could trigger events detectable by our real-time module (I haven't tried it :( ).

Regards,

Peter 

Link to comment
Share on other sites

Hi @kurco :

Quote

sadly currently, using only Server Security, it's not possible

What are the other options that actually protects an NFS server?

Thanks.

Edited by acfr
Link to comment
Share on other sites

  • ESET Staff

Hi @acfr,

Quote

What are the other options that actually protects an NFS server?

As I have written in previous comment, our product is not able to catch NFS events. Some additional file monitoring could observe nfs shared folders and eventually trigger event on every new file there, which could be detected by our product.  

Regards,

Peter.  

Link to comment
Share on other sites

Ok i thought you we're talking about Eset Server Security only, and another product could detect it.

I'll do some test with inotify this week-end and provide feedback.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...