Infected files with long UTF-8 encoded file names bypass Endpoint Protection for Linux protection
Last Updated May 22, 2019
Consider the following scenario:
You have a Linux system running Symantec Endpoint Protection (SEP) for Linux 14.0 RU1 MP1 to 14.2 RU1;
The system has one or more UTF-8 mount points;
On those mount points reside one or more infected files with UTF-8 encoded file names that are more than 256 characters in length.
In this scenario, the files are able to bypass SEP for Linux scanning and conviction. If the file names are shortened to 256 characters or less, then scanning gets performed without any issue and they get caught by AutoProtect. However, it remains impossible to perform a manual scan of the mount point containing the files, regardless of the file name size.
SEP for Linux (14.0 RU1 MP1 to 14.2 RU1)
When a SEP for Linux manual scan of a directory path is performed, it calls FindFirstFile() and FindNextFile() functions to iterate through the path provided. These functions call Linux system function readdir() to get the next directory entry. In turn, readdir() calls Linux system function readdir_r() to iterate through the given path and return the next entry. However, readdir_r() fails to return the UTF-8 paths, making it impossible to scan the files.
This issue was resolved in SEP for Linux 14.2 RU1 MP1, by adding UTF-8 support to all related functions.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe