Symptoms
A non-installed ELF-binary cannot be executed and security warnings are caused, You may see similar entries on the ESXi host:
Scenario 1
/var/log/vmkernel.logWARNING: UserCartel: InitExecInfo:2870: Execution of non-installed file prevented: <nonInstalledBinary>UserCartel: InitExecInfo:2875: sh: exec denied: file <nonInstalledBinary> not installedWARNING: UserCartel: InitExecInfo:2881: Execution of non-installed file: <nonInstalledBinary>WARNING: User: ExecInstalledOnlyCallback:6942: ExecInstalledOnly has been disabled. This allows the execution of non-installed binaries on the host. Unknown content can cause malware attacks similar to Ra$
vSphere - Host Events
Execution of unknown (non VIB installed) binary <nonInstalledBinary> prevented. Unknown content can cause malware attacks similar to Ransomware.
Execution of unknown (non VIB installed) binary <nonInstalledBinary>. Unknown content can cause malware attacks similar to Ransomware.
Scenario 2
/var/log/vobd.log[vob.uw.exec.installonly.violation] Execution of non-installed file prevented: <nonInstalledBinary>[vob.uw.exec.installonly.warning] Execution of non-installed file: <nonInstalledBinary>[esx.audit.uw.security.User.ExecInstalledOnly.disabled] ExecInstalledOnly has been disabled. This allows the execution of non-installed binaries on the host. Unknown content can cause malware attacks similar to Ransomware
vSphere - Issues and Alerts
ExecInstalledOnly has been disabled. This allows the execution of non-installed binaries on the host. Unknown content can cause malware attacks similar to Ransomware.
Cause
Scenario 1
Files cannot be executed -> execInstalledOnly protection is enabled.
Scenario 2
Security warning about executed files and/or unsecure host configuration -> execInstalledOnly protection is disabled.
Resolution
Make sure execInstalledOnly is enabled and only executes binaries, which are installed on the host (VIB). Work with any 3rd party vendor to get tools installed as VIB packages, rather than zip files.
Workaround
As an intermediate fix, you can disable the protection.
Note: Please contact VMware support. This solution is not recommended and impacts the security of your system.
