Deep Security Agent detection on containers mounted to EFS or NFS

Product / Version includes:

Deep Security20.0

Last updated: 2024/05/20

Solution ID: KA-0010184

Category: Configure

Summary

Deep Security Agent (DSA) can detect malicious files in a Network File System (NFS) and share real-time . It can also detect a malware dropped inside a container, even if the container is mounted to NFS or Elastic File System (EFS). This is feasible since the DSA Real-Time Scan hooks at the host kernel level, which is shared with docker containers.

Below is a test scenario:

Deploy AWS EFS and mount it to EC2.
Install Deep Security Agent and docker on the host machine.

Deploy Ubuntu container mounted to EFS.

docker run -it --name=ubuntu --mount type=volume,dst=<container path>,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device<EFS/NFS Path> ubuntu

Drop an EICAR test file inside the container mount point.

echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.exe

As a result, the malware is detected as a container event.
Detected malware on mounted container

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Deep Security Agent detection on containers mounted to EFS or NFS

Deep Security Agent detection on containers mounted to EFS or NFS

Product / Version includes:

Summary