lfd Suspicious File Alert after Acronis installation

rs200

Active Member
Dec 4, 2017
34
8
8
Italy
cPanel Access Level
Root Administrator
Hello,

i recently installed Acronis agent on my VPS for doing backup of the entire server.

Everything is ok but, after midnight, lfd sent me many notifications like that

Code:
lfd on server.vpstest.it: Suspicious File Alert

Time:   Thu Nov 21 00:05:06 2019 +0100
File:   /tmp/dkms.9npzAf/dkms_main_tree/2.6.32-504.12.2.el6.i686/i686/module/snumbd26.ko
Reason: Linux Binary
Owner:  : (197619:197121)
Action: No action taken

Time:   Thu Nov 21 00:05:06 2019 +0100
File:   /tmp/dkms.9npzAf/dkms_main_tree/2.6.32-504.12.2.el6.i686/i686/module/snapapi26.ko
Reason: Linux Binary
Owner:  : (197619:197121)
Action: No action taken

Time:   Thu Nov 21 00:05:07 2019 +0100
File:  
Reason:
Owner:
Action: Too many hits for [I]LF_DIRWATCH[/I] - Directory Watching disabled

continue with others alerts
I am sure these are related to the Acronis agent.

How can i disable alerts about Acronis agent in the csf.pignore file?

The process related to the agent is this

Code:
/usr/lib/Acronis/BackupAndRecovery/mms
Thanks
 

cPanelLauren

Forums Analyst II
Staff member
Nov 14, 2017
8,486
692
263
Houston
cPanel Access Level
DataCenter Provider
@quietFinn is correct you wouldn't use csf.pignore you would use csf.fignore

DIRWATCH automatcially (without any configuration) adds /tmp as a directory to watch the following helps explain use as well:

Code:
Directory Watching
#####################

Directory Watching enables lfd to check /tmp and /dev/shm and other pertinent
directories for suspicious files, i.e. script exploits.

If a suspicious file is found an email alert is sent using the template
filealert.txt.

NOTE: Only one alert per file is sent until lfd is restarted, so if you remove
a suspicious file, remember to restart lfd

To remove any suspicious files found during directory watching, enable
corresponding setting the suspicious files will be appended to a tarball in
/var/lib/csf/suspicious.tar and deleted from their original location. Symlinks
are simply removed.

If you want to extract the tarball to your current location, use:

tar -xpf /var/lib/csf/suspicious.tar

This will preserver the path and permissions of the original file.

Any false-positives can be added to /etc/csf/csf.fignore and lfd will then
ignore those listed files and directories.

Within csf.fignore is a list of files that lfd directory watching will ignore.
You must specify the full path to the file

You can also use perl regular expression pattern matching, for example:
/tmp/clamav.*
/tmp/.*\.wrk

Remember that you will need to escape special characters (precede them with a
backslash) such as \. \?

Pattern matching will only occur with strings containing an asterisk (*),
otherwise full file path matching will be applied

You can also add entries to ignore files owner by a particular user by
preceding it with user:, for example:
user:bob


Note: files owned by root are ignored

For information on perl regular expressions:
http://www.perl.com/doc/manual/html/pod/perlre.html
 
  • Like
Reactions: rs200

rs200

Active Member
Dec 4, 2017
34
8
8
Italy
cPanel Access Level
Root Administrator
I believe you could just delete that directory /tmp/dkms.9npzAf/
but if you think it might cause problems you can stop the alerts by adding this line to /etc/csf/csf.fignore (csf.fignore, not csf.pignore)
/tmp/dkms.9npzAf/.*
and then restart lfd.
Thanks, that solved the issue :)
 
  • Like
Reactions: cPanelLauren