Endpoint Protection Linux Auto Protect does not detect eicar on tmpfs mounts
search cancel

Endpoint Protection Linux Auto Protect does not detect eicar on tmpfs mounts

book

Article ID: 422850

calendar_today

Updated On:

Products

Endpoint Protection

Issue/Introduction

Symantec Endpoint Protection (SEP) Auto-protect is not detecting files in tmpfs filesystems (e.g. /tmp/) are not scanned while files on EXT4 filesystems are scanned 

Environment

SEP version: 14.3.RU1 and later

Cause

Working as design

Resolution

The behavior you observed - where files in tmpfs filesystems (e.g. /tmp/ in Amazon Linux case) are not scanned while files on ext4 filesystems are scanned - This is expected and by design.

Why tmpfs Is not scanned by default?
This is an intentional design decision based on the following considerations:

  • Performance Optimization for Modern Linux Systems
    On modern Linux distributions, tmpfs is used extensively across the system for various runtime directories:
    /var/run - Runtime variable data
    /dev/shm - POSIX shared memory
    /run - Runtime data
    /tmp - Temporary files (on many distributions)
    And many others...
    These in-memory filesystems experience extremely high file activity as the system and applications continuously create, modify, and delete temporary files. Scanning all of this activity would introduce significant performance overhead and could impact system responsiveness.
  •  Nature of tmpfs Content:
    The majority of files in tmpfs locations are:
    Transient runtime files (PID files, lock files, sockets)
    Inter-process communication artifacts
    System state information
    Temporary application data with very short lifespans
    These files are created and destroyed rapidly, often existing for only milliseconds. Scanning such ephemeral content provides limited security value relative to the performance cost.
  • Balanced Security Posture:
    Our approach prioritizes scanning persistent storage (ext4, xfs, etc.) where:
    Malware is more likely to persist across reboots
    Files have longer lifespans and higher risk profiles
    User data and executables are typically stored
    This provides strong protection where it matters most while maintaining optimal system performance.
    What This Means for Your Environment
    Persistent filesystems (ext4, xfs, btrfs, etc.) are fully protected with real-time scanning
    Executable files on tmpfs are still scanned when accessed for execution
    The overall security posture remains strong for typical threat scenarios

Conclusion
This design reflects a deliberate balance between security coverage and system performance, optimized for real-world Linux environments. The high-value targets (persistent storage, executables) remain fully protected, while avoiding unnecessary performance impact from scanning high-frequency transient files.

Powered by Wolken Software