I've been testing out Elastic Endpoint/Defend for Linux and i'm not sure if it's not setup correctly or what. The standard test of downloading the eicar file (of various forms) didn't trigger the malware sigantures for defend. I have it configured to scan on file modification. I tried opening the eicar in an editor and re-saving it and stuff, but nothing could trigger the defend signature.
While it does send the information regarding process create and stuff back to ELASTIC, i'm interested in the AV/memory protection components. How do i know if those are working? Why would it not identify the basic EICAR?
Could you let me know a little more about your setup?
What type of Linux are you running?
What Kernel Version?
What File System is this happening on?
How are you downloading the EICAR file (what program or command)?
What editor are you using to open and re-save the file?
Based on what you're describing, I would expect you to see Malware Detection Alerts for at least some of the activity.
Linux: Ubuntu 22.04.4 LTS
Kernel: 6.5.0-41-generic #41~22.04.2-Ubuntu SMP PREEMPT_DYNAMIC Mon Jun 3 11:32:55 UTC 2 x86_64 x86_64 x86_64 GNU/Linux
File System: zfs
How: Browsing to eicar website and downloading the different test files (.com/txt/zip) via chrome.
Editor: I'm using vim when i edit the file.
I agree i'd expect to see some alert. I do see an alert when trying this on Windows, but no alert on Linux. Also unfortunate for the windows side is that alert is well after downloading. For that I mean, when Windows Defender catches eicar, it also tells me things like what the mark of the web was for it, the tempdir it was found in, etc. When Elastic Endpoint Security catches it (on windows) it finds it in the end directory after it's been "moved" and provides no information about the mark of the web or parent process that wrote it, though that would be discoverable if all the auditing features are turned on i'd suspect.
Great, that seems to have fixed it. There's two things that don't seem to be working as i'd expect still:
I didn't get any elastic notification in Gnome that it found/removed something.
The alert in the elastic backend doesn't contain any information about the signature. The only thing i can find is the information of the process it came from and what file was flagged, but i couldn't find any reference to EICAR. If this were a real virus, it would be helpful to know what signature caused this alert.
Unfortunately the user notifications for Linux go to syslog. It was the best solution we could come up with at the time based on the varied number of desktop environments and Linux versions that we support.
For what its worth, partially because of your question we're looking to extend our automated testing to include additional file systems (including ZFS) so that if everything looks good they'll end up moving to the default list of file systems and no longer need the advanced option to monitor.
For # 2, I'll look in to that. I believe the rule name is supposed to be there, if it's not, that may be a bug.
would definitely be good to support ZFS out of the box. from my perspective it's become pretty popular and is a direct filesystem option when installing ubuntu these days.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.