Endpoint for linux - execute malware in /tmp

mistercinux · ‎2023-11-07

Hello,

We are installing the Endpoint on linux clients, and we are able to download and execute malware in /tmp (recursively).

Since I can't find any exclusion for this folder, and did not found documentation on it, I'm asking if someone already had this issue.

If Yes, how did you get rid of this behavior ?

Here is an example :

root@XXX:/tmp# wget https://secure.eicar.org/eicar.com.txt
--2023-11-07 15:39:13-- https://secure.eicar.org/eicar.com.txt
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [text/plain]
Saving to: ‘eicar.com.txt’

eicar.com.txt 100%[============================================================>] 68 --.-KB/s in 0s

2023-11-07 15:39:18 (14,5 MB/s) - ‘eicar.com.txt’ saved [68/68]

root@XXX:/tmp# ls
...
eicar.com.txt

...
root@XXX:/tmp# cat eicar.com.txt <-- This is blocked when working in /home/...
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Thanks for your help.

Christophe

Chris_Atkinson · ‎2023-11-07

Please review the limitations stated in sk170198 and clarify further with TAC where needed.

CCSM R77/R80/ELITE

Are you a member of CheckMates?

Endpoint for linux - execute malware in /tmp