Skip to content

[REQUEST]: Add Linux Endpoint Malware Protection btrfs sub-volume documentation #913

New issue
New issue
Open
Open
[REQUEST]: Add Linux Endpoint Malware Protection btrfs sub-volume documentation#913
Assignees
natasha-moore-elastic
Labels
Team:SecurityIssues owned by the Security Docs Team
@nicholasberlin

Description

@nicholasberlin
nicholasberlin
opened on Mar 25, 2025

Description

What: The underlying technology, fanotify, used by Elastic Endpoint (Defend) to provide Malware Protections is incapable of monitoring btrfs subvolumes. However, fanotify is capable of monitoring the root of the subvolumes. Some customer configurations only mount btrfs subvolumes, and we would like documentation instructing them to mount the root volume as well.

Here's an unrelated product, fatrace, experiencing the same issue and a discussion of what to do: martinpitt/fatrace#3 (comment).

Resources

Elastic Endpoint issue: https://github.com/elastic/endpoint-dev/issues/15949

Which documentation set does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

All Endpoint versions are affected by this.

What release is this request related to?

N/A

Collaboration model

Unknown

Point of contact.

Main contact: @nicholasberlin

Stakeholders:
@nfritts

Metadata

Metadata

Assignees

Labels

Team:SecurityIssues owned by the Security Docs Team

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions