search cancel

Infected files with larger than 256 bytes file names bypass Endpoint Protection for Linux protection

book

Article ID: 174853

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Consider the following scenario:

  • You have a Linux system running Symantec Endpoint Protection (SEP) for Linux 14.2 RU1 or lower;
  • On its mount points reside one or more infected files with file names that are more than 256 bytes in size.

In this scenario, the files are able to bypass SEP for Linux scanning and conviction. If the file names are 256 bytes or less in size, then scanning gets performed without any issue and they get caught by AutoProtect. 

Cause

When a SEP for Linux manual scan of a directory path is performed, it calls FindFirstFile() and FindNextFile() functions to iterate through the path provided. These functions call Linux system function readdir() to get the next directory entry. In turn, readdir() calls Linux system function readdir_r() to iterate through the given path and return the next entry. However, readdir_r() fails to return the paths, making it impossible to scan the files. 

Environment

  • SEP for Linux (14.2 RU1 or lower)

Resolution

SEP for Linux 14.2 RU1 MP1 added support for file names that are up to 512 bytes in size. SEP for Linux 14.2 RU2 further improved on this, by adding support for file names that are up to 1024 bytes in size.