Unfortunately I cannot provide the screenshot of deleted library file because I removed the linux server from EPO. Here is the screenshot of product and it's version.

Hi @User90649964 ,

The version seems to be ENS for Windows Platform.

That said, Could you reproduce the issue on a Linux Platform (Test Machine) with ENS for Linux and share some snippets? 

libtsr.so file got deleted.The Trellix agent version

Hi @User90649964 , 

Thank you for sharing the screenshot. 

As per the first screenshot, the analyzer is OAS and probably you are using ENSLTP. The product is not showing in the second screenshot, which would mean that the point product properties are not collected. But that is a different issue.

Regarding the detection and deletion of libtsr.so, could you share the output of the below commands to check which rpm owns the library file (If the OS is an rpm distro)?

# rpm -qf /lib64/libtsr.so
# lsof /lib64/libtsr.so

You might have to compress and submit the file to Trellix Lab for analysis.

Those are the output of both commands

Hi @User90649964 

This seems to be strange. It does look like a rootkit and you should get it investigated asap, as keyutils-libs doesn't provide that library on RHEL7

The keyutils lib should be something like the below.

------------
[alwin@localhost ~]$ rpm -ql keyutils-libs
/lib64/libkeyutils.so.1
/lib64/libkeyutils.so.1.5
/usr/share/doc/keyutils-libs-1.5.8
/usr/share/doc/keyutils-libs-1.5.8/LICENCE.LGPL
[alwin@localhost ~]$
------------

Please open a Service Request and submit /usr/lib64/libtsr.so file for analysis.

@User90649964 , Additionally check with OS vendor too, on the keyutils-libs provided for RHEL 7