Endpoint for linux - execute malware in /tmp

mistercinux — Tue, 07 Nov 2023 14:48:37 GMT

Hello,

We are installing the Endpoint on linux clients, and we are able to download and execute malware in /tmp (recursively).

Since I can't find any exclusion for this folder, and did not found documentation on it, I'm asking if someone already had this issue.

If Yes, how did you get rid of this behavior ?

Here is an example :

root@XXX:/tmp# wget https://secure.eicar.org/eicar.com.txt
--2023-11-07 15:39:13-- https://secure.eicar.org/eicar.com.txt
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [text/plain]
Saving to: ‘eicar.com.txt’

eicar.com.txt 100%[============================================================>] 68 --.-KB/s in 0s

2023-11-07 15:39:18 (14,5 MB/s) - ‘eicar.com.txt’ saved [68/68]

root@XXX:/tmp# ls
...
eicar.com.txt

...
root@XXX:/tmp# cat eicar.com.txt <-- This is blocked when working in /home/...
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Thanks for your help.

Christophe

Re: Endpoint for linux - execute malware in /tmp

Chris_Atkinson — Tue, 07 Nov 2023 14:52:53 GMT

Please review the limitations stated in sk170198 and clarify further with TAC where needed.

topic Re: Endpoint for linux - execute malware in /tmp in Endpoint

Endpoint for linux - execute malware in /tmp

Re: Endpoint for linux - execute malware in /tmp