Hello, 

We are installing the Endpoint on linux clients, and we are able to download and execute malware in /tmp (recursively).

Since I can't find any exclusion for this folder, and did not found documentation on it, I'm asking if someone already had this issue.

If Yes, how did you get rid of this behavior ?

Here is an example : 

root@XXX:/tmp# wget https://secure.eicar.org/eicar.com.txt
--2023-11-07 15:39:13-- https://secure.eicar.org/eicar.com.txt
Resolving secure.eicar.org (secure.eicar.org)... 89.238.73.97, 2a00:1828:1000:2497::2
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68 [text/plain]
Saving to: ‘eicar.com.txt’

eicar.com.txt 100%[============================================================>] 68 --.-KB/s in 0s

2023-11-07 15:39:18 (14,5 MB/s) - ‘eicar.com.txt’ saved [68/68]

root@XXX:/tmp# ls
...
eicar.com.txt

...
root@XXX:/tmp# cat eicar.com.txt <-- This is blocked when working in /home/...
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* 

Thanks for your help.

Christophe