Is it possible to use neuvector to scan the memoy ...
# neuvector-securitym
miniature-lock-53926
06/03/2024, 2:50 PMIs it possible to use neuvector to scan the memoy or write-layer of a running pod which might contain malicious s/mime attachments because it is processing certain messages downloaded from an e-health connector service?
q
quaint-candle-18606
06/03/2024, 3:23 PMI think perhaps a way to tackle this particular issue would be to use a WAF or DLP rule to inspect the payload in the network traffic.
m
miniature-lock-53926
06/03/2024, 3:26 PMThe payload will be downloaded through a wireguard vpn tunnel that is running as a sidecar container so it will only touch the pods tcp/ip stack and will not run through an ingress. Is that a problem?
q
quaint-candle-18606
06/03/2024, 3:47 PMShouldn’t be; Nv can see traffic at the linux bridge, and it’d be offloaded to the main container by then.
quaint-candle-18606
06/03/2024, 3:47 PMThe challenge might be in knowing what you’re looking for. What makes something “malicious” 🤔
m
miniature-lock-53926
06/03/2024, 4:30 PMWell the question was posed by our old school admin department, which think in terms of endpoint protection and attachment scanners running in their exchange servers etc.
They heard the words "s/mime type message like an email" and "attachment" and are now asking me to install McAfee inside my container, and I am looking for a sane way to make sure that no "malicious" attachments (according to some up2date lists of CVEs or virus signatures) will be distributed to other clients from this api that downloads the "emails" from the connector and I am looking around for solutions
One solution mentioned by them was crowdstrike, but looking at their docs reminded me, that because of our large footprint with RancherLabs technology (Rancher, RKE2 Guest Cluster, Harvester etc) maybe Neuvector is a similar solution, and thats why I am asking here those funny questions xD
q
quaint-candle-18606
06/03/2024, 4:31 PMMy condolences. 😄
quaint-candle-18606
06/03/2024, 4:32 PMWhat are the odds in you succeeding in telling them that neither a single approach nor a single solution is going to be what comes of this?
m
miniature-lock-53926
06/03/2024, 4:33 PMI just need enough snake oil or handwaving to get them to back off... or maybe just copy that mcafee.exe into my pod and say "I installed it" xD
q
quaint-candle-18606
06/03/2024, 4:40 PMI’d still say use neuvector for all the zero-trust and other goodness you know you need. And, yeah, appease their threat-based dreams from 1997 to the extent it doesn’t break things. (that’s just me 😉 )
m
miniature-lock-53926
06/03/2024, 4:43 PMThats the plan anyway, but I thought I might as well ask if this thing that I haven't looked into yet thoroughly will also get this stupid request of my back... xD
I just found that their endpoint protection solution has an file checker api. I will just tell the developer that he might as well just check every body against that thing and be done with it.
👍 1
miniature-lock-53926
06/03/2024, 4:49 PMAlthough I can already hear the complains in my head:
"Why is it so slow for messages to be received by our clients" ¯\_(ツ)_/¯
q
quaint-candle-18606
06/03/2024, 4:54 PMJust blame DNS 🤣
i
important-activity-72202
06/07/2024, 8:04 AM@miniature-lock-53926 I think, the correct implementation by your developer will include feedback to the end user, with a spinning ball and saying 'Checking for virus... please wait". Then a pause of 10 seconds, then a message saying, "check completed. Processing your message now", then after a nanosecond, another message saygin "Processing completed in 0 seconds". So the users know what to complain about 🙈
😂 3
🦜 1
3 Views