Jump to content

EICAR not detected when file is stored, only when it's opened ?

acfr

By acfr
in ESET Products for Linux Servers

 Share

Recommended Posts

acfr

acfr 0

Posted
Posted

Using ESET SERVER SECURITY LINUX 8, i've tested a small upload (trough NFSv4) of a EICAR file (named 'eicar.com').

File was stored without any problems. I've then tried to show it's contents (cat eicar.com) but an error message has been trown and file was deleted (bi the real time protection).

Question is: how can a malicious file bypass the real time protection and be stored on the disk?

Thanks.

Link to comment
Share on other sites
  • Administrators
Marcos

Marcos 5,085

Posted
  • Administrators
Posted

Unfortunately it's not clear to me what you mean by "upload". Please raise a support ticket since this cannot be answered without further information.

Link to comment
Share on other sites
acfr

acfr 0

Posted
  • Author
Posted

To be clear:

- if NFS server is protected

- but clients, where NFS is mounted, is not

infected files uploaded on the clients will be stored and not cleaned on the server.

Is this correct?

Link to comment
Share on other sites
acfr

acfr 0

Posted
  • Author
Posted

What i mean by "upload" is;

- machine A, NFS client --> copy (upload) the infected file on the NFS mount.

- machine B, NFS server, protected by EFS --> file is stored on disk, not scanned or cleaned.

- machine B: try to open the file directly on the server, not the client --> file is cleaned (deleted).

Link to comment
Share on other sites
acfr

acfr 0

Posted
  • Author
Posted

@Marcos I've opened a support ticket (french support) that answered me this:

Quote

Triggering detection on EFS is done during file execution and not at disk recording

which is obviously no true for a real time scanner...otherwise all infected could be stored.

Can i open a support ticket on "International/English" support as French support seems not reliable?

Link to comment
Share on other sites
  • ESET Staff
kurco

kurco 19

Posted
  • ESET Staff
Posted

Hi acfr,

according to you description of upload, that is exactly that know issue we are pointing in online help. Server Security development is already tracking this issue.

Regards,

Peter

Link to comment
Share on other sites
  • ESET Staff
kurco

kurco 19

Posted
  • ESET Staff
Posted

Hi acfr,

sadly currently, using only Server Security, it's not possible. Maybe some additional file monitoring on nfs shared folder could trigger events detectable by our real-time module (I haven't tried it :( ).

Regards,

Peter 

Link to comment
Share on other sites
acfr

acfr 0

Posted
  • Author
Posted (edited)

Hi @kurco :

Quote

sadly currently, using only Server Security, it's not possible

What are the other options that actually protects an NFS server?

Thanks.

Edited by acfr
Link to comment
Share on other sites
  • ESET Staff
kurco

kurco 19

Posted
  • ESET Staff
Posted

Hi @acfr,

Quote

What are the other options that actually protects an NFS server?

As I have written in previous comment, our product is not able to catch NFS events. Some additional file monitoring could observe nfs shared folders and eventually trigger event on every new file there, which could be detected by our product.  

Regards,

Peter.  

Link to comment
Share on other sites
acfr

acfr 0

Posted
  • Author
Posted

Ok i thought you we're talking about Eset Server Security only, and another product could detect it.

I'll do some test with inotify this week-end and provide feedback.

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...