acfr 0 Posted November 22, 2021 Posted November 22, 2021 Using ESET SERVER SECURITY LINUX 8, i've tested a small upload (trough NFSv4) of a EICAR file (named 'eicar.com'). File was stored without any problems. I've then tried to show it's contents (cat eicar.com) but an error message has been trown and file was deleted (bi the real time protection). Question is: how can a malicious file bypass the real time protection and be stored on the disk? Thanks.
Administrators Marcos 5,469 Posted November 22, 2021 Administrators Posted November 22, 2021 Unfortunately it's not clear to me what you mean by "upload". Please raise a support ticket since this cannot be answered without further information.
ESET Staff kurco 25 Posted November 22, 2021 ESET Staff Posted November 22, 2021 Hi acfr, please check our help page about some NFS issues: Real-time file system protection | ESET Server Security for Linux | ESET Online Help. Is this your case? Currently we are not able to catch nfs file operations from a client. Regards, Peter
acfr 0 Posted November 22, 2021 Author Posted November 22, 2021 To be clear: - if NFS server is protected - but clients, where NFS is mounted, is not infected files uploaded on the clients will be stored and not cleaned on the server. Is this correct?
acfr 0 Posted November 22, 2021 Author Posted November 22, 2021 What i mean by "upload" is; - machine A, NFS client --> copy (upload) the infected file on the NFS mount. - machine B, NFS server, protected by EFS --> file is stored on disk, not scanned or cleaned. - machine B: try to open the file directly on the server, not the client --> file is cleaned (deleted).
acfr 0 Posted November 22, 2021 Author Posted November 22, 2021 @Marcos I've opened a support ticket (french support) that answered me this: Quote Triggering detection on EFS is done during file execution and not at disk recording which is obviously no true for a real time scanner...otherwise all infected could be stored. Can i open a support ticket on "International/English" support as French support seems not reliable?
Administrators Marcos 5,469 Posted November 22, 2021 Administrators Posted November 22, 2021 Please see the reply from kurco: Currently we are not able to catch nfs file operations from a client.
ESET Staff kurco 25 Posted November 22, 2021 ESET Staff Posted November 22, 2021 Hi acfr, according to you description of upload, that is exactly that know issue we are pointing in online help. Server Security development is already tracking this issue. Regards, Peter
acfr 0 Posted November 22, 2021 Author Posted November 22, 2021 Ok thanks @Marcos and @kurco so currently, there is no way I can (real time) protect my NFS server? Only wait and hope it will be fixed, someday? Regards, Carlos
ESET Staff kurco 25 Posted November 24, 2021 ESET Staff Posted November 24, 2021 Hi acfr, sadly currently, using only Server Security, it's not possible. Maybe some additional file monitoring on nfs shared folder could trigger events detectable by our real-time module (I haven't tried it ). Regards, Peter
acfr 0 Posted November 25, 2021 Author Posted November 25, 2021 (edited) Hi @kurco : Quote sadly currently, using only Server Security, it's not possible What are the other options that actually protects an NFS server? Thanks. Edited November 25, 2021 by acfr
ESET Staff kurco 25 Posted November 25, 2021 ESET Staff Posted November 25, 2021 Hi @acfr, Quote What are the other options that actually protects an NFS server? As I have written in previous comment, our product is not able to catch NFS events. Some additional file monitoring could observe nfs shared folders and eventually trigger event on every new file there, which could be detected by our product. Regards, Peter.
acfr 0 Posted November 26, 2021 Author Posted November 26, 2021 Ok i thought you we're talking about Eset Server Security only, and another product could detect it. I'll do some test with inotify this week-end and provide feedback.
Recommended Posts