I keep getting warning about "Access scanner could not scan object" from Linux host

j_v

I'm using Policy Manager Server an Console version 16.01.98252 and the hosts are using Linux Security 64 12.00

The current policy is straightforward. Real time scanning is enabled for the home repertory. I do not use Security Cloud and scan all files for potentially unwanted applications.

The product is installed on about 80 computers.

Every day day I'm receiving several warning with this description:

"Access scanner could not scan object"

I do not see any pattern with the hosts, every machine using the product seems to encounter this error at one time or another.

I do not see a clear pattern with the files affected by the issue either.

More often than not it will be a temporary files for a browser. But any files can apparently cause the issue.

here are a few examples of recent warnings :

Access scanner could not scan object /home/service1/user1/.mozilla/firefox/mxgufibv.default-release/datareporting/glean/tmp/af5ee092-cbfb-4568-96c2-e909b455fd8b.

Access scanner could not scan object /home/service2/user2/Téléchargements/UnrealEngine-4.27.2-release/Engine/Plugins/Runtime/GeoReferencing/Source/ThirdParty/vcpkg-installed/x64-android/include/proj_api.h

Access scanner could not scan object /home/service3/user3/.thunderbird/user3.default-release/ImapMail/email.toto.fr/BIFD.msf

Access scanner could not scan object /home/service4/user4/.thunderbird/user4.default-release/prefs.js

Seing that it often concerns temporary files, my initial thought was that the module scheduled to scan a file but it had been deleted by the time it tries to actually start the analysis. But each time I've checked the files presence, it was there and perfectly readable.

Is this a known issue? Am I missing something with the policy or the product setup? The very frequents warnings this issue is causing make it harder to spot actual threats.

JamesC

Hi @j_v ,

Thank you for reaching out to WithSecure community.

In general, it is a common message when the scanning cannot be done successfully either the file is deleted during the scanning or it is being used.

There are temporary files created under the " /tmp" directory when the scanning or the database update is being executed. Normally, they will be deleted once the operation is completed.

So, it is an expected behavior that "/tmp" directory is a very common place to put temporary files and Linux Security 64 components do it as well (though we are attempting to do it less day by day) that file is obviously written by the Capricorn engine.

It is typical that various applications write files under "/tmp" directory and they could be short or long lived files. It is up to the application to clean up the files after use; one complication to this matter is that system is also set up to clean up old files under "/tmp" directory even if they are still in use. 

In case of similar error messages being reported for so many files including simple text files (i.e, /etc/hosts, /etc/ld.so.cache and etc), there is a possibility that it is actually caused by the interval license validity issue which requires a manual workaround to fix it.

j_v

Some of the files causing the issue are temporary files but not all of them. And haven't found that any of the files is missing when I check it.

What is the workaround you're speaking of?

JamesC

Hi @j_v

Thank you for the reply.

As we need to send you a file, we suggest to submit a Support case here - https://www.withsecure.com/en/support/contact-support/email-support