<<<>>> Trend Micro Incorporated August 17, 2020 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Trend Micro(TM) ServerProtect(TM) for Linux(TM) 3.0 Kernel Hook Module (KHM) 3.0.1.0022 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TERMS AND CONDITIONS: This module was developed by Trend Micro, Inc. This module has received limited testing and is for your internal use only. THIS MODULE IS PROVIDED "AS IS" WITHOUT WARRANTIES OF ANY KIND. TREND MICRO MAKES NO WARRANTY ABOUT THE OPERATION OR PERFORMANCE OF THIS MODULE NOR DOES IT WARRANT THAT THIS MODULE IS ERROR FREE. TO THE FULLEST EXTENT PERMITTED BY LAW, TREND MICRO DISCLAIMS ALL IMPLIED AND STATUTORY WARRANTIES, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, NONINFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. THIS MODULE IS SUBJECT TO CHANGE AND MODIFICATION, INCLUDING, WITHOUT LIMITATION, CHANGES AND MODIFICATIONS WITH RESPECT TO PERFORMANCE AND FUNCTIONALITY ANY TIME AT THE SOLE DISCRETION OF TREND MICRO. Contents ========================================================= 1. About the Kernel Hook Module 2. What's New 2.1 Resolved Known Issues 2.1 Enhancements 3. Documentation Set 4. System Requirements 5. Installation 5.1 Updating 5.2 Installing 5.3 Uninstalling 6. Post-installation Configuration 7. Known Issues 8. Release History 8.1 Prior Releases 9. Contact Information 10. About Trend Micro 11. License Agreement ========================================================= 1. About the Kernel Hook Module ====================================================================== The Kernel Hook Module (KHM) in ServerProtect for Linux hooks Linux file operating system calls and passes information to the scan engine. Without the KHM, ServerProtect cannot perform real-time scans. Trend Micro has released KHMs for the following officially- supported platforms: - Red Hat(TM) Enterprise Linux 4 - Red Hat Enterprise Linux 5 - Red Hat Enterprise Linux 6 - Red Hat Enterprise Linux 7 - Red Hat Enterprise Linux 8 - CentOS 4 - CentOS 5 - CentOS 6 - CentOS 7 - CentOS 8 - SuSE(TM) Linux Enterprise Server 10 - SuSE Linux Enterprise Desktop 10 - SuSE Linux Enterprise Server 11 - SuSE Linux Enterprise Desktop 11 - SuSE Linux Enterprise Server 12 - SuSE Linux Enterprise Desktop 12 - SuSE Linux Enterprise Server 15 - SuSE Linux Enterprise Desktop 15 You can also download KHMs for these platforms from the Trend Micro website. If your platform is not on the list, you can build the KHM on your Linux system from the source code included in the installation package. NOTE: Trend Micro does not guarantee nor support KHMs that are not provided by Trend Micro. 2. What's New ====================================================================== 2.1 Resolved Known Issues =================================================================== NOTE: KHM 3.0.1.0022 includes all fixes released in pervious versions. Refer to Section 8 for more information. This new version resolves the following issues: Issue 1: Kernel panic may occur while the kernel module handles certain information from the user mode process. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0022 resolves the issue. Issue 2: Sometimes, system calls may not be unhooked when KHM unloads. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0022 resolves this issue. 2.2 Enhancements =================================================================== There are no enhancements in this release. 3. Documentation Set ====================================================================== To download or view electronic versions of the documentation set for this product, go to http://docs.trendmicro.com 4. System Requirements ====================================================================== The following are the minimum system requirements to build a KHM successfully: - GCC - GNU Make - the corresponding kernel source and configuration file for your running kernel The KHM source code that Trend Micro provides only enables you to build a KHM for your kernel. 5. Installation ====================================================================== This section explains key steps for installing the release. 5.1 Updating =================================================================== To update the KHM package: 1. Download the new KHM package from the Update Center. 2. Log on as a root user. 3. Create a backup of the old KHM source by running the following commands: # cd /opt/TrendMicro/SProtectLinux/SPLX.module/src/ # tar -zcvf splx_kernel_module-bak--src.tar.gz * NOTE: should be replaced by the actual version number of the KHM source package that was downloaded in step 1. For example, if the downloaded package is "splx_kernel_module-3.0.1.0022-src.tar.gz", then is "3.0.1.0022". 4. Copy the "tar.gz" file to a working directory, for example, "/home/workdir". 5. Run the following command to update the KHM source files: # tar -zxvf splx_kernel_module--src.tar.gz -C /opt/TrendMicro/SProtectLinux/SPLX.module/src/ 5.2 Installing =================================================================== Refer to the INSTALL file for details on building and installing the KHM. NOTE: Before you begin the installation, make sure you: - have the configured Linux kernel source on your system: - For Red Hat Enterprise Linux and CentOS, install the "kernel-devel" package. - For SuSE Linux Enterprise Server/Desktop, install the "kernel-source" and "kernel-syms" packages. - Run the following command on the Red Hat Enterprise Linux 7, Red Hat Enterprise Linux 8, CentOS 7, or CentOS 8 operating system. # cp /usr/include/linux/version.h /lib/modules/$(uname -r)/build/include/linux/ The following commands outline the general build procedure: # /etc/init.d/splx stop # cd /opt/TrendMicro/SProtectLinux/SPLX.module/src/module # make # make test # make install # /etc/init.d/splx start 5.3 Uninstalling =================================================================== To roll back to the previous build: 1. Run the following commands using the KHM source file from step 3 of Section 5.1: # cd /opt/TrendMicro/SProtectLinux/SPLX.module/src/ # tar -zxvf splx_kernel_module-bak--src.tar.gz 2. Follow the build procedure in Section 5.2 to build using the old KHM src. 6. Post-installation Configuration ====================================================================== No post-installation steps required. NOTE: Trend Micro recommends that you update your scan engine and virus pattern files immediately after installing the product. 7. Known Issues ====================================================================== Since the Linux kernel is updated from time to time, Trend Micro cannot guarantee that this source code will continue to work well with the latest kernel source. Trend Micro will update the KHM source code as new Linux kernels are released. Please visit the Trend Micro website to get the latest KHM source code. Trend Micro recommends modifying the KHM source code for your Linux kernel. Refer to Section 5.1 for specific steps to update the source code. 8. Release History ====================================================================== For more information about updates to this product, go to: http://www.trendmicro.com/download 8.1 Prior Releases =================================================================== NOTE: Only this version was tested for this release. Prior versions were tested at the time of their release. KHM 3.0.1.0021, July 2, 2020 Issue 1: An issue related to the kernel mode module may cause a minor memory leak event. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0021 resolves the issue. Issue 2: Outgoing Real-time scans do not work properly on the RHEL 8, CentOS 8, or SLES 15 platforms. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0021 resolves this issue. Issue 3: Sometimes, ServerProtect skips certain files during scans. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: KHM 3.0.1.0021 resolves this issue. KHM 3.0.1.0020, June 1, 2020 Issue 1: The kernel might stop unexpectedly on platforms where CONFIG_HARDENED_USERCOPY is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0020 resolves this issue. Issue 2: ServerProtect does not scan some 32-bit applications on platforms where CONFIG_ARCH_HAS_SYSCALL_WRAPPER is enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0020 resolves this issue. KHM 3.0.1.0019, March 15, 2019 Issue: The KHM does not support the following platform versions: - SuSE Linux Enterprise Server 12 Service Pack 4 - SuSE Linux Enterprise Desktop 12 Service Pack 4 - SuSE Linux Enterprise Server 15 - SuSE Linux Enterprise Desktop 15. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.1.0019 supports all four platform versions specified above. KHM 3.0.1.0018, May 15, 2018 Issue: KHM does not support Red Hat Enterprise Linux 7.5 and CentOS 7.5. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.1.0018 supports Red Hat Enterprise Linux 7.5 and CentOS 7.5. KHM 3.0.1.0017, June 17, 2017 Issue: KHM does not support the SuSE Linux Enterprise Server 12 Service Pack 2 and SuSE Linux Enterprise Desktop 12 Service Pack 2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.1.0017 supports SuSE Linux Enterprise Server 12 Service Pack 2 and SuSE Linux Enterprise Desktop 12 Service Pack 2. KHM 3.0.1.0016, October 19, 2016 Issue: After KHM starts, it automatically changes the privilege setting for the memory page of the syscall table to "Read Only". As a result, the Linux platform may stop unexpectedly when other products attempt to make changes to the information in the syscall table. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.1.0016 rolls back the privilege setting of the syscall table memory page to the default value of the Linux system after it starts. This ensures that other products can modify the information on the syscall table without issues. KHM 3.0.1.0015, May 30, 2016 Issue 1: The operating system (OS) may stop unexpectedly when ServerProtect for Linux wakes up a hooked process. This happens when the wait queue which ServerProtect for Linux attempts to access has been deleted by the hooked process. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0015 keeps a reference count of processes to make sure that the process information will not be deleted when ServerProtect for Linux wakes up a hooked process. Issue 2: ServerProtect for Linux cannot detect when the EICAR test file is transferred to the server through SSH File Transfer Protocol (SFTP) on a Chroot environment. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0015 removes a hard-code exclusion command "sshd" to resolve this issue. KHM 3.0.1.0014, January 11, 2016 Issue 1: The OS may sometimes stop unexpectedly when users remove a folder while ServerProtect for Linux scans some files from the same folder. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0014 resolves the problem. Issue 2: If KHM hooks some processes that have stopped, the processes may stop responding. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0014 replaces a kernel API to enable the system to wake up processes that have stopped. Issue 3: After ServerProtect updates to the Linux Kernel 3.10 version, the kernel API "dentry_open" implement changes that prevents users from unmounting directories that are currently mounted. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: KHM 3.0.1.0014 supports this change. KHM 3.0.1.0013, April 1, 2015 Issue 1: KHM does not support version 12 of the SuSE Linux Enterprise Server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0013 now supports SuSE Linux Enterprise Server 12. Issue 2: When KHM is running through the deny write directory list, kernel panic may occur if the deny write directory list is deleted outside the allotted time interval. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0013 now keeps a reference count to help it determine whether the list has already been reconstructed while it iterates the list. This can help ensure that KHM does not delete the deny write directory list outside the allotted time interval. Issue 3: Sometimes, deadlock issues occur when the vsapiapp process updates the settings in KHM. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: KHM 3.0.1.0013 moves some actions out from the lock to prevent deadlock issues while the vsapiapp process updates the settings in KHM. KHM 3.0.1.0012, September 15, 2014 Issue 1: KHM does not support Red Hat Enterprise Linux 7. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0012 supports Red Hat Enterprise Linux 7. Issue 2: After kernel 3.0, a memory leak may occur while enabling Real-time Scan. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0012 resolves the memory leak issue so Real-time Scan can be enabled successfully. KHM 3.0.1.0011, January 17, 2014 Issue 1: KHM misses a dput and an mntput kernel API call on a mounted point which can cause kernel panic when the "refer_count" value of a related node reaches a certain limit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0011 no longer misses the dput and mntput kernel API calls on mounted points. Issue 2: When KHM is running through the exclusion list, kernel panic may occur if the exclusion list is deleted outside the allotted time interval. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0011 keeps a reference count to help it determine whether the list has already been reconstructed while it iterates the list. This can help ensure that KHM does not delete the exclusion list outside the allotted time interval. Issue 3: In the RHEL 6.5 kernel, the "char* filename" parameter of the kernel API "putname/getname" function has been changed to the "struct filename" structure. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: KHM 3.0.1.0011 supports this change. KHM 3.0.1.0010, April 18, 2013 Issue 1: Users can unload KHM even when some processes are accessing KHM. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0010 allows users to unload it only after all processes have stopped accessing KHM. Issue 2: Users can delete the exclusion list even if some processes are accessing the exclusion list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0010 adds a reference count to the exclusion list to prevent this issue from occurring. Issue 3: Users sometimes cannot wake up processes that KHM hooks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 3: KHM 3.0.1.0010 has an error handling feature that enables it to make several attempts to wake up sleeping processes if the wake up function returns an error. KHM 3.0.1.0009, August 24, 2012 Issue: KHM does not support SuSE 11 Service Pack 2. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.1.0009 supports SuSE 11 Service Pack 2 with kernel version 3.0 KHM 3.0.1.0008, March 28, 2012 Issue: Sometimes, deadlock issues occur when KHM hooks files while other processes are accessing the files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.1.0008 optimizes the KHM lock function to prevent deadlock issues in this situation. KHM 3.0.1.0007, July 21, 2011 Issue: Under certain conditions, deadlock issues may occur while loading or unloading the KHM from the kernel. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.1.0007 contains an optimized lock function which can prevent these issues. KHM 3.0.1.0006, May 30, 2011 Enhancement 1: KHM 3.0.1.0006 fully supports SuSE 11 Service Pack 1. Enhancement 2: Unlike previous KHM versions, KHM 3.0.1.0006 only hooks configured open, close, or executed events, which improves KHM performance. Issue 1: Servers with kernel 2.6.32 may not be able to restart while ServerProtect for Linux runs with real-time scan enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.1.0006 resolves this issue. Issue 2: After kernel 2.6.27, a memory leak may occur while "vsapiapp" restarts. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.1.0006 resolves this issue. KHM 3.0.1.0005, March 31, 2011 Issue: The computer may work abnormally while scanning running processes in an NFSv4 client shared directory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.1.0005 resolves this issue. KHM 3.0.0.0005, November 6, 2010 Issue 1: ServerProtect for Linux does not support wildcard characters ("*" and "?") on the real-time scan file exclusion list. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.0.0005 resolves this issue. Issue 2: KHM does not support SuSE 11 Service Pack 1. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.0.0005 supports SuSE 11 Service Pack 1 with kernel version 2.6.32 NOTE: Only 32-bit and 64-bit kernels for Xen(R) are supported in this version. Enhancement: KHM 3.0.0005 adds the "*" and "?" in the list of supported wildcard characters in the command exclusion list. KHM 3.0.0.0004, February 1, 2010 Issue: The computer may work abnormally when KHM is running with audited enabled. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.0.0004 resolves this issue. Enhancement 1: KHM 3.0.0.0004 supports CentOS 4/5 and SuSE 11. Enhancement 2: KHM 3.0.0.0004 adds a command bypass feature for real-time scans. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure 2: To bypass commands for real-time scans, run the following command: # echo "command1" "command2" >/proc/splx/ command_exclusion NOTES: - Run the command only after applying the new KHM build from this version of KHM source code. - Here, "command1" and "command2" are the names of the running processes. For example, if you do not want real-time scan to scan "vi" and "bash", you can run the following commands: # echo vi bash > /proc/splx/command_exclusion - This feature supports a maximum of 10 process names. - The command list will be reset after "vsapiapp" restarts. - Wildcards "*" and "?" are supported. KHM 3.0.0.0003, January 26, 2010 Issue: The real-time scan option cannot take effect when users run it from the Web console. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.0.003 resolves this issue. KHM 3.0.0.0002, April 31, 2009 Issue: The computer may work abnormally when several "vsapiapp" threads attempt to initialize KHM. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: KHM 3.0.0.0002 resolves this issue. Enhancement: KHM 3.0.0.0002 has a dynamic enabling feature for the kernel debug log. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Procedure: To enable the kernel debug log dynamically, run the following command: # echo 1 > /proc/splx/khm_debug_level NOTES: - Run the command only after applying the new KHM built from this version of the KHM source code. - Here, "1" is the kernel debug log level you would like to set. The valid values range is "0" to "3". Any value higher than "3" will be treated as "3". Values smaller than "0" will be treated as "0". The float value will be truncated to "integer" and any non-integer value will be treated as "invalid" and refused. KHM 3.0.0.0001, January 28, 2008 Issue 1: ServerProtect cannot unmount shared files. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 1: KHM 3.0.0.0001 resolves this issue. Issue 2: The computer may work abnormally and the following kernel log is displayed after running for an extended period of time: "kernel: kernel BUG at include/linux/dcache.h:282!" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution 2: KHM 3.0.0.0001 resolves this issue. 9. Contact Information ====================================================================== A license to Trend Micro software usually includes the right to product updates, pattern file updates, and basic technical support for one (1) year from the date of purchase only. After the first year, you must renew Maintenance on an annual basis at Trend Micro's then-current Maintenance fees. Contact Trend Micro via fax, phone, and email, or visit our website to download evaluation copies of Trend Micro products. http://www.trendmicro.com/us/about-us/contact/index.html NOTE: This information is subject to change without notice. 10. About Trend Micro ====================================================================== Smart, simple, security that fits As a global leader in IT security, Trend Micro develops innovative security solutions that make the world safe for businesses and consumers to exchange digital information. Copyright 2020, Trend Micro Incorporated. All rights reserved. Trend Micro, ServerProtect, and the t-ball logo are trademarks of Trend Micro Incorporated and are registered in some jurisdictions. All other marks are the trademarks or registered trademarks of their respective companies. 11. License Agreement ====================================================================== View information about your license agreement with Trend Micro at: http://www.trendmicro.com/us/about-us/legal-policies/ license-agreements Third-party licensing agreements can be viewed: - By selecting the "About" option in the application user interface - By referring to the "Legal" page of the Administrator's Guide