Prevent scanning of Kali Docker container

I have both excluded /var/lib/docker and disabled LiveProtection (not normal state) but when installing/running tools in a Kali container, SAV keeps detecting and preventing tools from running (e.g. metasploit). I have restarted the SAV service and rebooted after the config changes.

 

$ sudo /opt/sophos-av/bin/savconfig query

ExcludeFilePaths: /var/lib/docker/

...
LiveProtection: disabled

 

When I start the container and do something like "apt install metasploit" I get the below (only pasted a couple, there are dozens). I can see it's detecting in the container due to "(container hostname=1bfaca073770)" So what am I doing wrong? I'd like for SAV not to interfere with the kali container in any way. Thank you.

 

********************** Sophos Anti-Virus Alert ***********************
Threat "Troj/ExpSWF-B" detected in file
"/usr/share/metasploit-framework/data/exploits/CVE-2008-5499.swf.dpkg-new (container hostname=1bfaca073770)".

The file is still infected

**********************************************************************

********************** Sophos Anti-Virus Alert ***********************
Multiple threats detected in file
"/usr/share/metasploit-framework/data/exploits/CVE-2010-0232/kitrap0d.x86.dll.dpkg-new (container hostname=1bfaca073770)".

The file is still infected

**********************************************************************

 

  • Hi  

    Exclusion paths for any of the software can only be suggested by those application vendors. In your case, it is Docker. Docker has mentioned that using /var/lib/docker/, you can reduce the detections. They haven't mentioned that it will be completely stopped.

    Even if you still want to be more precise, I'd request you to contact Docker support to have the exact path to put the exclusions.

    Note: We never recommend to put the exclusions because it reduces the functionality of the AV and may fail to detect many virus files.

  • In reply to Jasmin:

    Got it. While Sophos recognizes the detection happened in a container, it doesn't seem to make a distinction between a host OS path and a docker container path (for exclusions). i.e. I had to set an exclusion in the host OS Sophos for /usr/share/metasploit-framework/ even though metasploit is not installed on the host OS, only in the Docker container. In my case easy enough to work around, but I could see this being potentially problematic for folks who might have a host OS path and a container path that are the same (highly likely on a *nix based host OS).

     

    Thanks for the help.