Jump to content

EICAR not detected when file is stored, only when it's opened ?


Recommended Posts

Posted

Using ESET SERVER SECURITY LINUX 8, i've tested a small upload (trough NFSv4) of a EICAR file (named 'eicar.com').

File was stored without any problems. I've then tried to show it's contents (cat eicar.com) but an error message has been trown and file was deleted (bi the real time protection).

Question is: how can a malicious file bypass the real time protection and be stored on the disk?

Thanks.

  • Administrators
Posted

Unfortunately it's not clear to me what you mean by "upload". Please raise a support ticket since this cannot be answered without further information.

Posted

To be clear:

- if NFS server is protected

- but clients, where NFS is mounted, is not

infected files uploaded on the clients will be stored and not cleaned on the server.

Is this correct?

Posted

What i mean by "upload" is;

- machine A, NFS client --> copy (upload) the infected file on the NFS mount.

- machine B, NFS server, protected by EFS --> file is stored on disk, not scanned or cleaned.

- machine B: try to open the file directly on the server, not the client --> file is cleaned (deleted).

Posted

@Marcos I've opened a support ticket (french support) that answered me this:

Quote

Triggering detection on EFS is done during file execution and not at disk recording

which is obviously no true for a real time scanner...otherwise all infected could be stored.

Can i open a support ticket on "International/English" support as French support seems not reliable?

  • Administrators
Posted

Please see the reply from kurco:

Currently we are not able to catch nfs file operations from a client.

  • ESET Staff
Posted

Hi acfr,

according to you description of upload, that is exactly that know issue we are pointing in online help. Server Security development is already tracking this issue.

Regards,

Peter

Posted

Ok thanks @Marcos and @kurco so currently, there is no way I can (real time) protect my NFS server?

Only wait and hope it will be fixed, someday? :unsure:

Regards,

Carlos

  • ESET Staff
Posted

Hi acfr,

sadly currently, using only Server Security, it's not possible. Maybe some additional file monitoring on nfs shared folder could trigger events detectable by our real-time module (I haven't tried it :( ).

Regards,

Peter 

Posted (edited)

Hi @kurco :

Quote

sadly currently, using only Server Security, it's not possible

What are the other options that actually protects an NFS server?

Thanks.

Edited by acfr
  • ESET Staff
Posted

Hi @acfr,

Quote

What are the other options that actually protects an NFS server?

As I have written in previous comment, our product is not able to catch NFS events. Some additional file monitoring could observe nfs shared folders and eventually trigger event on every new file there, which could be detected by our product.  

Regards,

Peter.  

Posted

Ok i thought you we're talking about Eset Server Security only, and another product could detect it.

I'll do some test with inotify this week-end and provide feedback.

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...