System hangs when using Fanotify with on-access scan

Technical Articles ID: KB93788
Last Modified: 1/12/2021

Environment

McAfee Endpoint Security for Linux Threat Prevention (ENSLTP) 10.7.2, 10.7.1

Problem

The operating system might get into a hang state post ENSLTP installation or upgrade. For this issue to trigger, all these conditions must exist:

ENSLTP is configured to run using Fanotify mode.
On-access scan (OAS) is configured to scan file read operations.
The operating system boot configuration uses the option ipv6.disable=1, which disables IPv6.

Cause

ENSLTP 10.7.1 and later ships libcurl library version: 7.69.1. With IPv6 explicitly disabled in the boot configuration, libcurl uses a different system call to create a socket in libcurl 7.69.1. This behavior is done as part of a Global Threat Intelligence (GTI) lookup for OAS. This system call invokes a kernel function call_usermodehelper_exec, which in turn executes a user mode binary. Until the point that the binary gets executed, the GTI thread is in a blocked state. But, the execution of the binary generates multiple Fanotify events that ENSLTP blocks. Because the cyclic dependency blocks the GTI thread, any further events get queued in the ENSLTP user space and never released. This deadlock gradually develops into a system hang.

Solution

This issue is resolved in ENSLTP 10.7.3.

Our product software, upgrades, maintenance releases, and documentation are available on the Product Downloads site.

NOTE: You need a valid Grant Number for access. See KB56057 - How to download Enterprise product updates and documentation for more information about the Product Downloads site, and alternate locations for some products.

Workaround

Use one of the following workarounds to avoid the issue:

Disable GTI in the ePolicy Orchestrator (ePO) ENS OAS policy:
1. Disable Enable On-Access Scan and disable Enable McAfee GTI in the OAS policy.
2. Apply this policy to the client system from ePO.
3. Enable the Enable On-Access Scan option in the OAS policy.
4. Apply this policy to the client system from ePO.
Make sure that only Scan on write is configured for OAS.
On the client system, set the option ipv6.disable to off in the kernel boot configuration.

Affected Products

Endpoint Security for Linux Threat Prevention 10.x
Known Issue/Product Defect

Languages:

This article is available in the following languages:

English United States
Spanish Spain
French
Italian
Portuguese Brasileiro

Knowledge Center

System hangs when using Fanotify with on-access scan

Environment

Problem

Cause

Solution

Workaround

Affected Products

Languages:

Title

Title

Knowledge Center

System hangs when using Fanotify with on-access scan

Environment

Problem

Cause

Solution

Workaround

Affected Products

Languages:

Choose your region

Title

Title