To resolve this, create real-time scan anti-malware exclusions with the following entry:
File Exclusion:
/tmp/vs*
Directory Exclusion:
/work/layers/
/work/images/
Deep Security Smart CheckAll
Deep Security Smart Check (DSSC) registry scan might fail when Deep Security Agent (DSA) is installed on Kubernetes nodes. It displays the following error message:
"Status: scan failed - Vulnerability scan failed"
This happens only if the image from registry has malware, and DSA detects it during DSSC registry scanning.
DSSC pulls the image from the registry to scan it for contents, vulnerabilities and malwares. During this time, DSA detects real-time scan detects malicious files from the image as it operates on kernel level of the container host.
Also, AM events on Deep Security web console is generated.
On the logs, it shows that image layer download fail. (image-scan-*.log)
{"image":"a33e891b-93d5-46fd-a656-3cbde4ed9af2","insecureSkipVerify":false,"layer":"http://scan-internal:8081/api/scans/a33e891b-93d5-46fd-a656-3cbde4ed9af2/jobs/image/layers/sha256:0fa025a8e643b99f25e2f8078d41ab85691bf810fc61bb64c076f76f7a18808f","message":"Received HTTP response","method":"GET","response":"HTTP/1.1 500 Internal Server Error\r\nConnection: close\r\nContent-Length: 559\r\nCache-Control: no-cache\r\nCache-Control: no-cache,no-store,must-revalidate\r\nContent-Security-Policy: default-src: 'none';block-all-mixed-content;disown-opener;reflected-xss filter\r\nContent-Type: application/json\r\nDate: Thu, 06 Feb 2020 19:53:52 GMT\r\nExpires: 0\r\nPragma: no-cache\r\nReferrer-Policy: no-referrer\r\nStrict-Transport-Security: max-age=31622400\r\nX-Api-Version: 2018-05-01\r\nX-Content-Type-Options: nosniff\r\nX-Frame-Options: DENY\r\nX-Request-Id: 511f9321-13e1-45ad-bb83-49d68d800127\r\nX-Xss-Protection: 1;mode=block\r\n\r\n","severity":"debug","timestamp":"2020-02-06T19:53:52Z","url":"http://scan-internal:8081/api/scans/a33e891b-93d5-46fd-a656-3cbde4ed9af2/jobs/image/layers/sha256:0fa025a8e643b99f25e2f8078d41ab85691bf810fc61bb64c076f76f7a18808f"}
{"error":"unable to download layer: response code 500","image":"a33e891b-93d5-46fd-a656-3cbde4ed9af2","layer":"http://scan-internal:8081/api/scans/a33e891b-93d5-46fd-a656-3cbde4ed9af2/jobs/image/layers/sha256:0fa025a8e643b99f25e2f8078d41ab85691bf810fc61bb64c076f76f7a18808f","message":"Unable to download layer","severity":"warning","timestamp":"2020-02-06T19:53:52Z"}
{"api":"internal","component":"image-scan","error":"Unable to download layer: unable to download layer: response code 500","message":"Failed to extract image","root":"work/images/4a555442-5cb4-4757-9e4e-e743f586bcee","scan":"4a555442-5cb4-4757-9e4e-e743f586bcee","severity":"error","timestamp":"2020-02-06T19:53:52Z"}
To resolve this, create real-time scan anti-malware exclusions with the following entry:
File Exclusion:
/tmp/vs*
Directory Exclusion:
/work/layers/
/work/images/