Перейти к содержимому


Фото
- - - - -

SpIDer Guard running, but not detecting threats...


  • Please log in to reply
17 ответов в этой теме

#1 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 23 Декабрь 2016 - 11:02

I am testing Dr.Web for Linux with a trial license.

 

I have enabled SpIDer Guard, and it is shown as Running in the summary window.  As a test, I attempted to download the EICAR test files.  SpIDer Gate prevented the download using the standard protocol http links.  SpIDer Gate did not prevent download using the secure, SSL enabled protocol https.  That I understand.

 

However, I thought SpIDer Guard would prevent me either from downloading the file through SSL, or it would prevent me from opening the file.  But that did not happen either.  I was able to download and open the file with SpIDer Guard running.  Now when I dragged the file to Dr.Web window for scanning, it was detected as a threat and quarantined.  So I am quite confident that SpIDer Gate and the Scanner are working properly.

 

I don't understand why SpIDer Guard is apparently not detecting and neutralizing threats.  I'm particularly interested in this because there are not many anti-virus programs for Linux that offer this type of real-time protection.

 

Thanks for any info.  Other than this issue, I'm finding it to be a really great anti-malware program for Linux.

 

 

Link to test files:

 

http://www.eicar.org/85-0-Download.html



#2 Dmitry_rus

Dmitry_rus

    Massive Poster

  • Helpers
  • 2 360 Сообщений:

Отправлено 24 Декабрь 2016 - 11:15

I don't understand why SpIDer Guard is apparently not detecting and neutralizing threats.
Actually, SpiderGuard DOES detect & neutralize threats. Did you try something else except EICAR? If not - here an answer.

===

When you attempt to execute an EICAR file while SpIDer Guard is running in the Optimal mode, the operation is not terminated and the file is not processed as malicious since it does not pose any actual threat to your system. However, if you copy or create such a file in your system, it will be detected by SpIDer Guard and moved to Quarantine by default.

===



#3 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 24 Декабрь 2016 - 15:06

Thanks for your reply.

 

No, I have not tried with a real malicious file.  So that must be the answer.  Now I just need to find a threat that I can use to test it...

 

Thanks again for the info.



#4 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 25 Декабрь 2016 - 09:26

In the meantime, I was able to obtain some malware samples for testing purposes.  I used the ransomware Locky as a test case, and the results were the same as with the EICAR test files.  I was able to extract Locky from the ZIP file with SpIDer Guard running.  Locky is of course a Windows executable, so I could not try to run it under Linux [and I wouldn't want to attempt it if I wasn't sure it would be blocked].  But I was able to open it as a text file, and re-save it.  I'm guessing those operations would have been intercepted by SpIDer Guard if it working properly.

 

But when I dragged the Locky file to the Dr.Web window for scanning, it correctly identified the file as Locky, and neutralized it.  So there is no doubt Dr.Web can recognize and disinfect Locky.

 

For some reason, SpIDer Guard is apparently not working as expected for me, even thought it indicates that it is running.

 

Any suggestions on things I might try to remedy my problem?

 

Thanks.



#5 dbanschikov

dbanschikov

    Member

  • Dr.Web Staff
  • 185 Сообщений:

Отправлено 26 Декабрь 2016 - 18:49

Hi.

 

1) Spider Gate is able to hijack your SSL connection. By default this option is turned off. To enable you have to import CA certificates from Gate(either from GUI or CTL) and turn on SSL unwrapping(either from GUI or CTL). Consider checking documentation for details. 

 

2) By default Spider Guard doesn't check archives.

All extracted files from archive will be checked at time of extraction.

 

To debug your problem do in command line please:

 

1. sudo drweb-ctl cfset LinuxSpider.LogLevel DEBUG

2. sudo drweb-ctl cfset LinuxSpider.DebugAccess yes

3. sudo drweb-ctl cfset LinuxSpider.Log /tmp/drweb.spider.log

4. reproduce problem

5. sudo drweb-ctl cfset -r LinuxSpider.LogLevel

6. sudo drweb-ctl cfset -r LinuxSpider.DebugAcces

7. sudo drweb-ctl cfset -r LinuxSpider.Log

 

 

And provide file /tmp/drweb.spider.log. Please be careful - file may contain sensitive data. If it hurts you - send me file privately.

 


Сообщение было изменено dbanschikov: 26 Декабрь 2016 - 19:00


#6 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 29 Декабрь 2016 - 03:58

Thank you for your reply.  I followed steps 1 - 7 above, but I do not find the log file drweb.spider.log in my /tmp folder.

 

There were no errors or any output from the terminal commands.

 

Is there anything else I can try?

 

[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.LogLevel DEBUG
[sudo] password for mikem:
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.DebugAccess yes
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.Log /tmp/drweb.spider.log
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.LogLevel
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.DebugAcces
Error: Unknown option LinuxSpider.DebugAcces
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.DebugAccess
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.Log



#7 dbanschikov

dbanschikov

    Member

  • Dr.Web Staff
  • 185 Сообщений:

Отправлено 29 Декабрь 2016 - 11:48

Thank you for your reply.  I followed steps 1 - 7 above, but I do not find the log file drweb.spider.log in my /tmp folder.
 
There were no errors or any output from the terminal commands.
 
Is there anything else I can try?
 
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.LogLevel DEBUG
[sudo] password for mikem:
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.DebugAccess yes
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.Log /tmp/drweb.spider.log
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.LogLevel
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.DebugAcces
Error: Unknown option LinuxSpider.DebugAcces
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.DebugAccess
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.Log

 
 
Yes, please, run this commands in CLI and show output:
 

1. drweb-ctl app
2. drweb-ctl cfshow LinuxSpider
3. sudo drweb-ctl cfset
4. sudo drweb-ctl cfset LinuxSpider.LogLevel DEBUG
5. sudo drweb-ctl cfset LinuxSpider.DebugAccess yes
6. sudo drweb-ctl cfset LinuxSpider.Log /tmp/drweb.spider.log
7. drweb-ctl app
8. touch /path/to/malware/sample
9. sudo drweb-ctl cfset -r LinuxSpider.LogLevel
10. sudo drweb-ctl cfset -r LinuxSpider.DebugAccess
11. sudo drweb-ctl cfset -r LinuxSpider.Log

 

 

Please notice, that path in item 8 must be path to regular file(e.g. eicar).
 



#8 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 30 Декабрь 2016 - 01:53

Here is the output I received.  As you can see, I get an error message on step 3, "Error: Missed option name".  I wasn't sure how to correct that.

 

I also did a custom scan of the same malware sample Locky by drag and drop, and pasted the test output of that below.

 

[mikem@mike-pc ~]$ drweb-ctl app
ConfigD; 1820; RUNNING 1; Installed (ConfigD ScanEngine FileCheck Update ESAgent NetCheck HTTPD GateD CloudD LinuxGUI LinuxSpider LinuxFirewall), Should run (HTTPD LinuxSpider LinuxFirewall)
ScanEngine; 2099; RUNNING 1; Core engine 7.00.26.12060, 5882603 virus records, max forks 12
FileCheck; 1997; RUNNING 1
NetCheck; 2955; RUNNING 1; local scan available; total 12 scanning cores available
HTTPD; 1830; RUNNING 1
GateD; 2192; RUNNING 1
LinuxSpider; 1831; RUNNING 1; Mode Fanotify
LinuxFirewall; 1832; RUNNING 1
[mikem@mike-pc ~]$ drweb-ctl cfshow LinuxSpider
LinuxSpider.LogLevel = Notice
LinuxSpider.Log = Auto
LinuxSpider.ExePath = /opt/drweb.com/bin/drweb-spider
LinuxSpider.Start = Yes
LinuxSpider.IncludedPath = /
LinuxSpider.ExcludedPath = /proc
LinuxSpider.ExcludedPath = /sys
LinuxSpider.Mode = Auto
LinuxSpider.ExcludedProc =
LinuxSpider.OnKnownVirus = Cure
LinuxSpider.OnIncurable = Quarantine
LinuxSpider.OnSuspicious = Quarantine
LinuxSpider.OnAdware = Quarantine
LinuxSpider.OnDialers = Quarantine
LinuxSpider.OnJokes = Report
LinuxSpider.OnRiskware = Report
LinuxSpider.OnHacktools = Report
LinuxSpider.ScanTimeout = 30s
LinuxSpider.HeuristicAnalysis = On
LinuxSpider.PackerMaxLevel = 8
LinuxSpider.ArchiveMaxLevel = 0
LinuxSpider.MailMaxLevel = 0
LinuxSpider.ContainerMaxLevel = 8
LinuxSpider.MaxCompressionRatio = 500
LinuxSpider.DebugAccess = No
[mikem@mike-pc ~]$ sudo drweb-ctl cfset
[sudo] password for mikem:
Error: Missed option name
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.LogLevel DEBUG
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.DebugAccess yes                                                     
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.Log /tmp/drweb.spider.log                                           
[mikem@mike-pc ~]$ drweb-ctl app                                                                                        
ConfigD; 1820; RUNNING 1; Installed (ConfigD ScanEngine FileCheck Update ESAgent NetCheck HTTPD GateD CloudD LinuxGUI LinuxSpider LinuxFirewall), Should run (HTTPD LinuxSpider LinuxFirewall)                                                  
ScanEngine; 2099; RUNNING 1; Core engine 7.00.26.12060, 5882603 virus records, max forks 12                             
FileCheck; 1997; RUNNING 1                                                                                              
NetCheck; 2955; RUNNING 1; local scan available; total 12 scanning cores available
HTTPD; 1830; RUNNING 1
GateD; 2192; RUNNING 1
LinuxSpider; 1831; RUNNING 3; Mode Fanotify
LinuxFirewall; 1832; RUNNING 1
[mikem@mike-pc ~]$ touch /home/mikem/Desktop/Ransomware.Locky/Locky
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.LogLevel
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.DebugAccess
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.Log

 

 

And here is a copy of the output from a custom scan of the file.

 

Scan type: Custom scan
Initiator: mikem
Started at: 12/29/16 4:47 PM
Ended at: 12/29/16 4:47 PM
Elapsed time: 00:00:00
Task status: completed

Threats: 1
Neutralized: 1
Skipped: 0
Total scanned: 1

Detected threats:
/home/mikem/Desktop/Ransomware.Locky/Locky - infected with Trojan.Encoder.3976‌: Cured



#9 dbanschikov

dbanschikov

    Member

  • Dr.Web Staff
  • 185 Сообщений:

Отправлено 30 Декабрь 2016 - 11:18

Here is the output I received.  As you can see, I get an error message on step 3, "Error: Missed option name".  I wasn't sure how to correct that.

 

I also did a custom scan of the same malware sample Locky by drag and drop, and pasted the test output of that below.

 

[mikem@mike-pc ~]$ drweb-ctl app
ConfigD; 1820; RUNNING 1; Installed (ConfigD ScanEngine FileCheck Update ESAgent NetCheck HTTPD GateD CloudD LinuxGUI LinuxSpider LinuxFirewall), Should run (HTTPD LinuxSpider LinuxFirewall)
ScanEngine; 2099; RUNNING 1; Core engine 7.00.26.12060, 5882603 virus records, max forks 12
FileCheck; 1997; RUNNING 1
NetCheck; 2955; RUNNING 1; local scan available; total 12 scanning cores available
HTTPD; 1830; RUNNING 1
GateD; 2192; RUNNING 1
LinuxSpider; 1831; RUNNING 1; Mode Fanotify
LinuxFirewall; 1832; RUNNING 1
[mikem@mike-pc ~]$ drweb-ctl cfshow LinuxSpider
LinuxSpider.LogLevel = Notice
LinuxSpider.Log = Auto
LinuxSpider.ExePath = /opt/drweb.com/bin/drweb-spider
LinuxSpider.Start = Yes
LinuxSpider.IncludedPath = /
LinuxSpider.ExcludedPath = /proc
LinuxSpider.ExcludedPath = /sys
LinuxSpider.Mode = Auto
LinuxSpider.ExcludedProc =
LinuxSpider.OnKnownVirus = Cure
LinuxSpider.OnIncurable = Quarantine
LinuxSpider.OnSuspicious = Quarantine
LinuxSpider.OnAdware = Quarantine
LinuxSpider.OnDialers = Quarantine
LinuxSpider.OnJokes = Report
LinuxSpider.OnRiskware = Report
LinuxSpider.OnHacktools = Report
LinuxSpider.ScanTimeout = 30s
LinuxSpider.HeuristicAnalysis = On
LinuxSpider.PackerMaxLevel = 8
LinuxSpider.ArchiveMaxLevel = 0
LinuxSpider.MailMaxLevel = 0
LinuxSpider.ContainerMaxLevel = 8
LinuxSpider.MaxCompressionRatio = 500
LinuxSpider.DebugAccess = No
[mikem@mike-pc ~]$ sudo drweb-ctl cfset
[sudo] password for mikem:
Error: Missed option name
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.LogLevel DEBUG
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.DebugAccess yes                                                     
[mikem@mike-pc ~]$ sudo drweb-ctl cfset LinuxSpider.Log /tmp/drweb.spider.log                                           
[mikem@mike-pc ~]$ drweb-ctl app                                                                                        
ConfigD; 1820; RUNNING 1; Installed (ConfigD ScanEngine FileCheck Update ESAgent NetCheck HTTPD GateD CloudD LinuxGUI LinuxSpider LinuxFirewall), Should run (HTTPD LinuxSpider LinuxFirewall)                                                  
ScanEngine; 2099; RUNNING 1; Core engine 7.00.26.12060, 5882603 virus records, max forks 12                             
FileCheck; 1997; RUNNING 1                                                                                              
NetCheck; 2955; RUNNING 1; local scan available; total 12 scanning cores available
HTTPD; 1830; RUNNING 1
GateD; 2192; RUNNING 1
LinuxSpider; 1831; RUNNING 3; Mode Fanotify
LinuxFirewall; 1832; RUNNING 1
[mikem@mike-pc ~]$ touch /home/mikem/Desktop/Ransomware.Locky/Locky
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.LogLevel
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.DebugAccess
[mikem@mike-pc ~]$ sudo drweb-ctl cfset -r LinuxSpider.Log

 

 

And here is a copy of the output from a custom scan of the file.

 

Scan type: Custom scan
Initiator: mikem
Started at: 12/29/16 4:47 PM
Ended at: 12/29/16 4:47 PM
Elapsed time: 00:00:00
Task status: completed

Threats: 1
Neutralized: 1
Skipped: 0
Total scanned: 1

Detected threats:
/home/mikem/Desktop/Ransomware.Locky/Locky - infected with Trojan.Encoder.3976‌: Cured

 

 

Well, I forgot(thought it is obvious) to mention that I need debug file  /tmp/drweb.spider.log after all this steps  .

Please, provide this debug file(repeat all the steps if file was removed).


Сообщение было изменено dbanschikov: 30 Декабрь 2016 - 11:18


#10 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 01 Январь 2017 - 02:26

I repeated the steps, but there is no file in the /tmp folder:  drweb.spider.log.  I did a full search for drweb.spider.log in the file manager, but nothing was found.  Only files I find related to dr.web in the temp folder are:

 

file:///tmp/drweb-gui-agent-1000.pid

file:///tmp/qtsingleapp-drwebg-f85b-3e8

file:///tmp/qtsingleapp-drwebg-f85b-3e8-lockfile

 

Maybe I should give up, as it is probably not fully compatible with the distro I'm on?



#11 dbanschikov

dbanschikov

    Member

  • Dr.Web Staff
  • 185 Сообщений:

Отправлено 01 Январь 2017 - 18:45

I repeated the steps, but there is no file in the /tmp folder:  drweb.spider.log.  I did a full search for drweb.spider.log in the file manager, but nothing was found.  Only files I find related to dr.web in the temp folder are:
 
file:///tmp/drweb-gui-agent-1000.pid
file:///tmp/qtsingleapp-drwebg-f85b-3e8
file:///tmp/qtsingleapp-drwebg-f85b-3e8-lockfile
 
Maybe I should give up, as it is probably not fully compatible with the distro I'm on?


It sounds quite interesting - lets debug your problem.
Distro shouldn't play any role, but just in case - what distro do you use?
Please, do following steps:

1. Install strace utility
2. In console run: sudo strace -fp <PID> -o /tmp/strace.log , where <PID> is PID of the spider process.
You can get it from drweb-ctl app command:

LinuxSpider; 1831; RUNNING 1; Mode Fanotify

Here PID is 1831.
3. Reproduce problem(touch /path/to/malware/file)
4. Stop sudo strace command(Ctrl+C)

Provide file /tmp/strace.log.

#12 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 02 Январь 2017 - 07:05

Thanks for your reply and interest in debugging my problem.

 

I do have an strace.log file attached.

 

Прикрепленный файл  strace.log   21,88К   4 Скачано раз

 

I am on Netrunner Rolling Edition Linux.  This is essentially Manjaro based on Arch Linux.

 

[mikem@mike-pc ~]$ drweb-ctl app
ConfigD; 1821; RUNNING 1; Installed (ConfigD ScanEngine FileCheck Update ESAgent NetCheck HTTPD GateD CloudD LinuxGUI LinuxSpider LinuxFirewall), Should run (HTTPD LinuxSpider LinuxFirewall)
ScanEngine; 2095; RUNNING 1; Core engine 7.00.26.12060, 5887290 virus records, max forks 12
FileCheck; 1989; RUNNING 1
NetCheck; 2925; RUNNING 1; local scan available; total 12 scanning cores available
HTTPD; 1830; RUNNING 1
GateD; 2162; RUNNING 1
CloudD; 3296; RUNNING 1
LinuxSpider; 1831; RUNNING 1; Mode Fanotify
LinuxFirewall; 1832; RUNNING 1
[mikem@mike-pc ~]$ sudo strace -fp 1831 -o /tmp/strace.log
strace: Process 1831 attached with 3 threads

 

[mikem@mike-pc ~]$ touch /home/mikem/Desktop/Ransomware.Locky/Locky

 

^Cstrace: Process 1831 detached
strace: Process 1986 detached
strace: Process 1988 detached



#13 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 07 Январь 2017 - 06:10

Just checking if there is anything more I can do?  Thanks.



#14 dbanschikov

dbanschikov

    Member

  • Dr.Web Staff
  • 185 Сообщений:

Отправлено 09 Январь 2017 - 10:44

Just checking if there is anything more I can do?  Thanks.

 

Sorry for the long delay in my answer - we have a long holidays.

I will try to reproduce your problem in virtual environment and think about next steps.

strace didn't show anything interesting.



#15 dbanschikov

dbanschikov

    Member

  • Dr.Web Staff
  • 185 Сообщений:

Отправлено 09 Январь 2017 - 13:58

In the strace log I don't see any accesses to file /home/mikem/Desktop/Ransomware.Locky/Locky - it seems that strace log is either partial or inappropriate.

I cannot reproduce your issue with Spider Guard in virtualbox environment. Everything starts to work from the beginning, no additional steps are required to enable Spider Guard after installation. Can you try to reproduce your problem in virtual environment? If yes, please - provide access to vm image(virtualbox is OK).

If you cannot or don't want to try virtual environment - the only way to debug your problem is to collect logs + strace(as we try to did before). I have prepared shell script that does all the work. Download script, ungzip it, from root user(not from sudo, but after e.g. sudo su -) in console run this script and provide path to malware file. Collect all log files in /tmp directory(/tmp/drweb.debug.log, /tmp/drweb.spider.debug.log, /tmp/drweb.spider.strace.log) and provide access to them.

 

 

Прикрепленные файлы:

  • Прикрепленный файл  debug.sh.gz   368байт   1 Скачано раз


#16 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 11 Январь 2017 - 10:48

Thanks for your reply.

 

Let me see if I can reproduce my issue in a virtual machine.  If yes, won't the vm image file be too large to send?  How would I provide access to you?

 

I will also see about using the shell script you provided.

 

Thanks again.


Сообщение было изменено Oxonsi: 11 Январь 2017 - 10:49


#17 Oxonsi

Oxonsi

    Newbie

  • Posters
  • 10 Сообщений:

Отправлено 11 Январь 2017 - 11:07

It is strange that the strace log is partial or inappropriate.  I executed strace as instructed.  Then I opened a second instance of terminal [because the terminal in which strace is running would no longer accept input until after Ctrl+C is pressed], and executed touch /home/mikem/Desktop/Ransomware.Locky/Locky.  Then I stopped strace with Ctrl+C.

 

Anyway, let me see if I can reproduce this problem in a virtual machine.

 

Thanks.



#18 dbanschikov

dbanschikov

    Member

  • Dr.Web Staff
  • 185 Сообщений:

Отправлено 11 Январь 2017 - 12:47

It is strange that the strace log is partial or inappropriate.  I executed strace as instructed.  Then I opened a second instance of terminal [because the terminal in which strace is running would no longer accept input until after Ctrl+C is pressed], and executed touch /home/mikem/Desktop/Ransomware.Locky/Locky.  Then I stopped strace with Ctrl+C.

 

Anyway, let me see if I can reproduce this problem in a virtual machine.

 

Thanks.

 

Try to run script I have provided. It should do all the required work.

If you will find any way to upload vm image somewhere - I find a way to download it. Any external service(e.g. dropbox).






Читают тему: 0

0 пользователей, 0 гостей, 0 скрытых