Deep Security Agent (DSA) can detect malicious files in a Network File System (NFS) and share real-time . It can also detect a malware dropped inside a container, even if the container is mounted to NFS or Elastic File System (EFS). This is feasible since the DSA Real-Time Scan hooks at the host kernel level, which is shared with docker containers.
Below is a test scenario:
- Deploy AWS EFS and mount it to EC2.
- Install Deep Security Agent and docker on the host machine.
- Deploy Ubuntu container mounted to EFS.
docker run -it --name=ubuntu --mount type=volume,dst=<container path>,volume-driver=local,volume-opt=type=none,volume-opt=o=bind,volume-opt=device<EFS/NFS Path> ubuntu
- Drop an EICAR test file inside the container mount point.
echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > eicar.exe
As a result, the malware is detected as a container event.