Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 11 subscribers
  • Views 6228 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scanning within containers?

dma0

I'll apologize in advance for what is likely a dumb question. I'm currently running Proxmox on a single node and wanted to test out Linux Server Protection. I have a bunch of things running in multiple unprivileged LXC containers as well as a few virtual machines. The dumb question I had is whether Linux Server Protection will scan within the LXC containers. This article seems to suggest it does (though it does mention the talpa driver must be used - no idea what that is but I suppose I can figure that out later). Would it do the same for LXC containers? Or does Server Protection need to be installed on every individual container? I imagine that it would need to be installed on each VM, correct?



This thread was automatically locked due to age.
Parents Reply Children
  • +1 in reply to QC

    I'm afraid we don't test with LXC containers, so I don't know if on-access with Talpa will work. As the KBA indicates, fanotify doesn't work into containers at all.

     

    On-access with Talpa will probably work into LXC containers, assuming they use mount namespaces in a similar manner to docker containers.

     

    SAV is always required to be installed in the root/host environment, since it needs to interact with the kernel, and have real root access.

  • 0 in reply to DouglasLeeder

    Thanks very much to both of you for the feedback. 

    Just in case it's of interest, SAV does appear to scan within LXC containers. A few days ago SAV detected and reported a malware file that had been downloaded into an unprivileged LXC container. It appears that this was via Talpa as there was mention of it in the warning message. Wasn't able to clean the malware, likely due to a rights issue, so I'll need to look into that, but at least it detects it. Quite glad I installed it.

Unfiltered HTML