Linux Defend doesn't detect EICAR

I've been testing out Elastic Endpoint/Defend for Linux and i'm not sure if it's not setup correctly or what. The standard test of downloading the eicar file (of various forms) didn't trigger the malware sigantures for defend. I have it configured to scan on file modification. I tried opening the eicar in an editor and re-saving it and stuff, but nothing could trigger the defend signature.

While it does send the information regarding process create and stuff back to ELASTIC, i'm interested in the AV/memory protection components. How do i know if those are working? Why would it not identify the basic EICAR?

From Elastic Security to Endpoint Security

Hi @FranklinFurter

Could you let me know a little more about your setup?

What type of Linux are you running?
What Kernel Version?
What File System is this happening on?
How are you downloading the EICAR file (what program or command)?
What editor are you using to open and re-save the file?

Based on what you're describing, I would expect you to see Malware Detection Alerts for at least some of the activity.

Hey Nick, sure:

Linux: Ubuntu 22.04.4 LTS
Kernel: 6.5.0-41-generic #41~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 3 11:32:55 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
File System: zfs
How: Browsing to eicar website and downloading the different test files (.com/txt/zip) via chrome.
Editor: I'm using vim when i edit the file.

I agree i'd expect to see some alert. I do see an alert when trying this on Windows, but no alert on Linux. Also unfortunate for the windows side is that alert is well after downloading. For that I mean, when Windows Defender catches eicar, it also tells me things like what the mark of the web was for it, the tempdir it was found in, etc. When Elastic Endpoint Security catches it (on windows) it finds it in the end directory after it's been "moved" and provides no information about the mark of the web or parent process that wrote it, though that would be discoverable if all the auditing features are turned on i'd suspect.

Thanks @FranklinFurter

You're probably seeing this because of your ZFS filesystem. ZFS is not currently on the list of default file systems that Defend monitors on linux. You can add it using the advanced options section of policy as described here: Configure Linux file system monitoring | Elastic Security Solution [8.14] | Elastic

You specifically will want to edit linux.advanced.fanotify.monitored_filesystems

I believe if you set that you will start to see the events you're looking for.