Thank you for reaching out.
Regarding the event, could you please let us know the exact product name/version? (Example ENS for Linux)
Also share a snippet/screenshot that confirms that the file was deleted after scanning.
Unfortunately I cannot provide the screenshot of deleted library file because I removed the linux server from EPO. Here is the screenshot of product and it's version.
Hi @User90649964 ,
Thank you for sharing the screenshot.
As per the first screenshot, the analyzer is OAS and probably you are using ENSLTP. The product is not showing in the second screenshot, which would mean that the point product properties are not collected. But that is a different issue.
Regarding the detection and deletion of libtsr.so, could you share the output of the below commands to check which rpm owns the library file (If the OS is an rpm distro)?
# rpm -qf /lib64/libtsr.so
# lsof /lib64/libtsr.so
You might have to compress and submit the file to Trellix Lab for analysis.
This seems to be strange. It does look like a rootkit and you should get it investigated asap, as keyutils-libs doesn't provide that library on RHEL7
The keyutils lib should be something like the below.
[alwin@localhost ~]$ rpm -ql keyutils-libs
Please open a Service Request and submit /usr/lib64/libtsr.so file for analysis.
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Thousands of customers use our Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership: