bpfilter_umh process suspected to be a malware since a process is running with no name in the vCenter

search cancel

bpfilter_umh process suspected to be a malware since a process is running with no name in the vCenter

book

Article ID: 416257

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Security monitoring reports an unnamed process in the Photon OS when auditing a vCenter Server appliance.

This process exists without a name and command line arguments. Even after a reboot, a process without a name exists again.

Environment

VMware vCenter Server 7.x

Cause

The bpfilter kernel module creates the nameless processes.

This Linux kernel module is contained in Photon:

"The basic idea is that this kernel module creates a "usermode driver", i.e. an "ordinary" process, and then communicates with it via pipes."

https://www.uninformativ.de/blog/postings/2022-06-11/0/POSTING-en.html

Resolution

the bpfilter_umh process is not malware, bpfilter kernel module creates the nameless processes, and that behavior changed (assigned name to process as bpfilter_umh) in the photon Linux kernel version 4.19.290-1.ph3 and above.

Feedback

thumb_up Yes

thumb_down No