McAfee and the module cache on WSL: rename <tmp> <trg>: permission denied

[Chris Burkert]

Dear all,

besides other environments I have a company laptop running Windows 10 Enterprise with WSL and Ubuntu. In Ubuntu I installed Go 1.14 and wanted to play around with Gio for fun. However it seems that McAfee doesn't want me to.

In short this is what I do and (mostly) get:

$ cd ~

$ mkdir test

$ cd test

$ go mod init test;

$ wget https://git.sr.ht/~eliasnaur/gio/blob/master/example/kitchen/kitchen.go

$ go run kitchen.go

go: finding module for package gioui.org/unit
go: finding module for package gioui.org/layout
go: finding module for package gioui.org/app/headless
go: finding module for package gioui.org/font/gofont
go: finding module for package golang.org/x/exp/shiny/materialdesign/icons
go: finding module for package gioui.org/app
go: finding module for package gioui.org/io/system
go: finding module for package gioui.org/text
go: finding module for package gioui.org/widget
go: finding module for package gioui.org/widget/material
go: downloading gioui.org v0.0.0-20200312174220-af68e17dd324
go: downloading golang.org/x/exp v0.0.0-20200228211341-fcea875c7e85
kitchen.go:20:2: rename /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324.tmp-663496537 /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324: permission denied
kitchen.go:21:2: rename /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324.tmp-663496537 /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324: permission denied
kitchen.go:31:2: rename /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324.tmp-663496537 /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324: permission denied
kitchen.go:22:2: rename /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324.tmp-663496537 /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324: permission denied
kitchen.go:23:2: rename /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324.tmp-663496537 /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324: permission denied
kitchen.go:24:2: rename /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324.tmp-663496537 /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324: permission denied
kitchen.go:25:2: rename /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324.tmp-663496537 /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324: permission denied
kitchen.go:26:2: rename /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324.tmp-663496537 /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324: permission denied
kitchen.go:27:2: rename /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324.tmp-663496537 /home/d055539/go/pkg/mod/giou...@v0.0.0-20200312174220-af68e17dd324: permission denied
kitchen.go:29:2: rename /home/d055539/go/pkg/mod/golang.org/x/e...@v0.0.0-20200228211341-fcea875c7e85.tmp-991628004 /home/d055539/go/pkg/mod/golang.org/x/e...@v0.0.0-20200228211341-fcea875c7e85: permission denied

I wrote that this is the output I mostly get because in some cases I get a slightly different error. For example after repeating the go run often enough the golang.org/x/exp was cached fine.

I was not able to reproduce this on any of the other environments (various pure Linux VMs).

During the go run McAfee is busy and I assume it causes the errors. Unfortunately I cannot switch off McAfee to prove that.

Do you see similar issues with this combination of WSL and the McAfee scanner? Or am I doing something stupid here and just don't see my fault?

thanks - Chris

[Jonathan Reiter]

I don't think McAfee ENS officially supports WSL. At least that was the case in 2018 when I last tried.

This would probably be evident in its labelling WSL /tmp writes as the beginnings of an attack - you could always check your scan logs (at %ProgramData%\McAfee\Endpoint Security\Logs) to see what is actually happening - if this is a blacklisted directory, a rule firing, or if EDR is picking up the sketchy behavior.

Feel free to raise a ticket to support on this topic - there's probably an active community internal to McAfee who would love to get more momentum for WSL support.

Some potentially dated sources on this topic:
1. ENS log manifest

2. ENS lack of support for WSL

3. A rather interesting article which spells out why WSL might not be well supported, i.e. it has the tendency to be used for fileless attack behaviors.

Hope this helps!

[brainman]

On Friday, 13 March 2020 08:58:24 UTC+11, Chris Burkert wrote:

Dear all,

besides other environments I have a company laptop running Windows 10 Enterprise with WSL and Ubuntu. In Ubuntu I installed Go 1.14 and wanted to play around with Gio for fun. However it seems that McAfee doesn't want me to.

https://github.com/golang/go/issues/36568

Alex 

[Chris Burkert]

Hello Alex,

this describes exactly my issue. I am going to test if the workarounds in tip solve my case and also ask my companies IT department to exclude %LOCALAPPDATA%\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc from the scanning.

Hello Jonathan,

thanks for the links. I learned something new.

many thanks to both of you

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/golang-nuts/c4b9fcfb-def6-491f-ac32-65eff12d172a%40googlegroups.com.