Sophos Anti-virus for Linux: Start and stop commands

This article describes the commands to start and stop the Sophos anti-virus processes on Linux and UNIX installations. When the Sophos anti-virus is running on a Linux or UNIX server, there are two key parts to the running program and the procedure for starting and stopping them are described below and depend on the type of server. The two key parts to the Sophos anti-virus are savd which drives all scanning and sophosmgmtd which drives the messaging and management communication processes.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux 10

Sophos Anti-Virus for Linux 9

Most modern Linux platforms utilise the systemd software control system which among other things, is used to start and stop system services and applications and manage them after booting.

The key command is systemctl and it can be used in the following ways:

# systemctl start [name.service]

# systemctl stop [name.service]

# systemctl restart [name.service]

# systemctl status [name.service]

To check what Sophos anti-virus services are running, use the command:

# systemctl list-units | grep sav

sav-protect.service loaded active running "Sophos Anti-Virus daemon"

sav-rms.service loaded active running "Sophos Management Agent"

To start and stop the services, use the following commands:

# systemctl start sav-protect.service

# systemctl start sav-rms.service

# systemctl stopsav-protect.service

# systemctl stop sav-rms.service

Older Linux platforms use the init structure for managing the start-up and stopping of system services and applications.

This normally follows the format of a single directory /etc/init.d containing the start-up and shutdown scripts for all the services and applications that require initialization on system start. The scripts in this directory are then called via links in other directories which determine which services to call for a given start-up state.

To start and stop the services, use the following commands:

# /etc/init.d/sav-protect start

# /etc/init.d/sav-rms start

# /etc/init.d/sav-protect stop

# /etc/init.d/sav-rms stop

To identify the current status of the running service, use the following commands:

# /etc/init.d/sav-protect status

# /etc/init.d/sav-rms status

On AIX systems, they use a variation of the init process.

To start and stop the services, use the following commands:

# /etc/rc.d/rc2.d/Ssav-protect start

# /etc/rc.d/rc2.d/Ssav-rms start

# /etc/rc.d/rc2.d/Ssav-protect stop

# /etc/rc.d/rc2.d/Ssav-rms stop

Only AIX supports stopping and starting the services using the following commands:

# /opt/sophos-av/bin/savdctl start sav-rms

# /opt/sophos-av/bin/savdctl stop sav-rms

Solaris systems use the Service Management Facility (SMF). It also breaks the Sophos anti-virus services down to three services.

To check and list the running services, use the following commands:

# svcs | grep sav

online Nov_21 svc:/com/sophos/sav/sav-rms:default

online Nov_21 svc:/com/sophos/sav/sav-protect:default

online 15:18:50 svc:/com/sophos/sav/sav-update:default

To start and stop the Sophos anti-virus services, use the following commands:

# svcadm enable sav-protect

# svcadm enable sav-update

# svcadm enable sav-rms

# svcadm disable sav-protect

# svcadm disable sav-update

# svcadm disable sav-rms

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux /UNIX: Running and Configuring on-demand scans

Overview

This article describes the steps to configure on-demand scans on Sophos anti-virus for UNIX. An on-demand scan is a scan that you initiate. You can scan anything from a single file to everything on your computer that you have permission to read. You can either manually run an on-demand scan or schedule it to run unattended.

The command that you type to run an on-demand scan is savscan.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Unix

Run an on-demand scan of the computer

  • To run an on-demand scan of the computer, type:

savscan /

Scan a particular directory or file

  • To scan a particular directory or file, specify the path of the item. For example, type:

savscan /usr/mydirectory/myfile

You can type more than one directory or file in the same command.

Scan a filesystem

  • To scan a filesystem, specify its name. For example, type:

savscan /home

You can type more than one filesystem in the same command.

In this section, where path appears in a command, it refers to the path to be scanned.

  • To see a full list of the options that you can use with an on-demand scan, type:

man savscan

Scan all file types

By default, Sophos Anti-Virus scans only executables. To see a full list of the file types that Sophos

Anti-Virus scans by default, type savscan -vv.

  • To scan all file types, not just those that are scanned by default, use the option -all. Type:

savscan path -all

Note:This makes scanning take longer, can compromise performance on servers, and can cause

false virus reports

Scan a particular directory or file

  • To scan a particular directory or file, specify the path of the item. For example, type:

savscan /usr/mydirectory/myfile

You can type more than one directory or file in the same command.

Scan inside all archive types

You can configure Sophos Anti-Virus to scan inside all archive types.

  • To see a list of these archive types, type:

savscan -vv.

Note: The threat detection engine only scans archived files that are up to 8GB (when decompressed).

This is because it supports the POSIX ustar archive format, which does not accommodate larger files.

  • To scan inside all archive types, use the option -archive. Type:

savscan path -archive

Archives that are “nested” within other archives (for example, a TAR archive within a ZIP archive) are scanned recursively. If you have numerous complex archives, the scan may take longer to run. Bear this in mind when scheduling unattended scans.

Scan inside a particular archive type

  • To scan inside a particular archive type, use the option that is shown in the list. For example, to scan inside TAR and ZIP archives, type:

savscan path -tar -zip

Archives that are “nested” within other archives (for example, a TAR archive within a ZIP archive) are scanned recursively. If you have numerous complex archives, the scan may take longer to run. Bear this in mind when scheduling unattended scans.

Scan remote computers

By default, Sophos Anti-Virus does not scan items on remote computers (that is, does not traverse remote mount points).

  • To scan remote computers, use the option –no-stay-on-machine. Type:

savscan path --no-stay-on-machine

Turn off scanning of symbolically linked items

By default, Sophos Anti-Virus scans symbolically linked items.

  • To turn off scanning of symbolically linked items, use the option –no-follow-symlinks. Type:

savscan path --no-follow-symlinks

To avoid scanning items more than once, use the option –backtrack-protection.

Scan the starting filesystem only

Sophos Anti-Virus can be configured not to scan items that are beyond the starting filesystem (that is, not to traverse mount points).

  • To scan the starting filesystem only, use the option –stay-on-filesystem. Type:

savscan path --stay-on-filesystem

Excluding items from scanning

  • You can configure Sophos Anti-Virus to exclude particular items (files, directories, or filesystems) from scanning by using the option -exclude. Sophos Anti-Virus excludes any items that follow the option in the command string. For example, to scan items fred and harry, but not tom or peter, type:

savscan fred harry -exclude tom peter

  • You can exclude directories or files that are under a particular directory. For example, to scan all of Fred’s home directory, but exclude the directory games (and all directories and files under it), type:

savscan /home/fred -exclude /home/fred/games

  • You can also configure Sophos Anti-Virus to include particular items that follow the option -include. For example, to scan items fred, harry, and bill, but not tom or peter, type:

savscan fred harry -exclude tom peter -include bill

Scan file types that UNIX defines as executables

By default, Sophos Anti-Virus does not scan file types that UNIX defines as executables.

  • To scan file types that UNIX defines as executables, use the option –examine-x-bit. Type:

savscan path --examine-x-bit

Sophos Anti-Virus still scans files that have filename extensions that are in its own list as well. To see a list of these filename extensions, type savscan -vv.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for UNIX: Running and Configuring on-demand scans

Overview

This article describes the steps to configure on-demand scans on Sophos anti-virus for UNIX. An on-demand scan is a scan that you initiate. You can scan anything from a single file to everything on your computer that you have permission to read. You can either manually run an on-demand scan or schedule it to run unattended.

The command that you type to run an on-demand scan is savscan.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Unix

Run an on-demand scan of the computer

  • To run an on-demand scan of the computer, type:

savscan /

Scan a particular directory or file

  • To scan a particular directory or file, specify the path of the item. For example, type:

savscan /usr/mydirectory/myfile

You can type more than one directory or file in the same command.

Scan a filesystem

  • To scan a filesystem, specify its name. For example, type:

savscan /home

You can type more than one filesystem in the same command.

In this section, where path appears in a command, it refers to the path to be scanned.

  • To see a full list of the options that you can use with an on-demand scan, type:

man savscan

Scan all file types

By default, Sophos Anti-Virus scans only executables. To see a full list of the file types that Sophos

Anti-Virus scans by default, type savscan -vv.

  • To scan all file types, not just those that are scanned by default, use the option -all. Type:

savscan path -all

Note:This makes scanning take longer, can compromise performance on servers, and can cause

false virus reports

Scan a particular directory or file

  • To scan a particular directory or file, specify the path of the item. For example, type:

savscan /usr/mydirectory/myfile

You can type more than one directory or file in the same command.

Scan inside all archive types

You can configure Sophos Anti-Virus to scan inside all archive types.

  • To see a list of these archive types, type:

savscan -vv.

Note: The threat detection engine only scans archived files that are up to 8GB (when decompressed).

This is because it supports the POSIX ustar archive format, which does not accommodate larger files.

  • To scan inside all archive types, use the option -archive. Type:

savscan path -archive

Archives that are “nested” within other archives (for example, a TAR archive within a ZIP archive) are scanned recursively. If you have numerous complex archives, the scan may take longer to run. Bear this in mind when scheduling unattended scans.

Scan inside a particular archive type

  • To scan inside a particular archive type, use the option that is shown in the list. For example, to scan inside TAR and ZIP archives, type:

savscan path -tar -zip

Archives that are “nested” within other archives (for example, a TAR archive within a ZIP archive) are scanned recursively. If you have numerous complex archives, the scan may take longer to run. Bear this in mind when scheduling unattended scans.

Scan remote computers

By default, Sophos Anti-Virus does not scan items on remote computers (that is, does not traverse remote mount points).

  • To scan remote computers, use the option –no-stay-on-machine. Type:

savscan path --no-stay-on-machine

Turn off scanning of symbolically linked items

By default, Sophos Anti-Virus scans symbolically linked items.

  • To turn off scanning of symbolically linked items, use the option –no-follow-symlinks. Type:

savscan path --no-follow-symlinks

To avoid scanning items more than once, use the option –backtrack-protection.

Scan the starting filesystem only

Sophos Anti-Virus can be configured not to scan items that are beyond the starting filesystem (that is, not to traverse mount points).

  • To scan the starting filesystem only, use the option –stay-on-filesystem. Type:

savscan path --stay-on-filesystem

Excluding items from scanning

  • You can configure Sophos Anti-Virus to exclude particular items (files, directories, or filesystems) from scanning by using the option -exclude. Sophos Anti-Virus excludes any items that follow the option in the command string. For example, to scan items fred and harry, but not tom or peter, type:

savscan fred harry -exclude tom peter

  • You can exclude directories or files that are under a particular directory. For example, to scan all of Fred’s home directory, but exclude the directory games (and all directories and files under it), type:

savscan /home/fred -exclude /home/fred/games

  • You can also configure Sophos Anti-Virus to include particular items that follow the option -include. For example, to scan items fred, harry, and bill, but not tom or peter, type:

savscan fred harry -exclude tom peter -include bill

Scan file types that UNIX defines as executables

By default, Sophos Anti-Virus does not scan file types that UNIX defines as executables.

  • To scan file types that UNIX defines as executables, use the option –examine-x-bit. Type:

savscan path --examine-x-bit

Sophos Anti-Virus still scans files that have filename extensions that are in its own list as well. To see a list of these filename extensions, type savscan -vv.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory – Sophos Web Appliance may hang during upgrade to v4.3.7

Some customers are reporting their Sophos Web Appliance hanging when upgrading to v4.3.7.

The last step during the upgrade is to performs a data update. In some cases, this data update does not finish and causes the upgrade to pause until the unit is restarted.

Applies to the following Sophos product(s) and version(s)

Sophos Web Appliance

The Sophos Web Appliance will not pass traffic and will be in a hung state.

Development is planning to resolve this issue in future releases.

Restarting the Sophos Web Appliance and performing the upgrade again should return the device to normal operation.

This article will be updated when more information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Phish Threat V2: Campaign domains were not resolvable

Users clicking on campaign links were presented with an unresolvable domain page. Campaigns are still being tracked if the link is clicked on by a user. This issue was resolved on January 16, 2019 at 16:00 UTC

Applies to the following Sophos product(s) and version(s)

Phish Threat V2

The “unresolved” Phish Threat domain pages were caused by the hosting provider automatically identifying the domains as phishing and, as such, took them offline. These have now been unblocked and we are in discussions with the hosting provider to prevent this from happening again.

In many cases, normal operations has now resumed. Please be aware that the complete DNS propagation may take up to 48 hours.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Advisory – Phish Threat V2: Campaign domains are not resolvable

Users clicking on campaign links will be presented with an unresolvable domain page.

Applies to the following Sophos product(s) and version(s)

Phish Threat V2

Users clicking on campaign links will be presented with an unresolvable domain page.

Please note that campaigns are still being tracked if the link is clicked on by a user.

Our team is actively investigating.

Please contact Sophos Technical Support and mention this KBA.

This article will be updated when information becomes available

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos XG Firewall: How to set the MSS value for remote network(s)

When you have an IPSec site-to-site tunnel established and have periodic traffic drops, even though the tunnel stays up, ping is fine as well as various other small packet services.

The above problem is due to the remote network having trouble supporting a large MSS value.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Firewall XG Software

The steps required for a workaround until the problem on the remote side is addressed, can only be applied by support. Support will first confirm if you are having the problem related to this article and give the IPSec configuration a quick overview.

Please log a support case and reference this article.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos XG Firewall: Security Heartbeat registration problems

When registering for Security Heartbeat on the XG to Sophos Central, you may find that it does not appear to get configured and the page shows as it was before trying to register.

This is due to a timeout received when registering, either due to internet issues or high load on the XG at the time.

This article describes the steps to resolve the issue….

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Firewall XG Software

Double check to see the status of the half configured Security Heartbeat on the XG by running command from the Advance Console:

central-register --status

You should receive an output similar to below with a few extra lines but the top line is the important one we are after:

This SFOS instance is currently registered with Sophos Central

If you receive the above status message AND its not showing registered on the web UI, then you have a half registered Security Heartbeat module. To fix this problem, you will need to run the command below:

central-register --unregister

This will remove the registration in the configuration database of the XG.

You can now register Security Heartbeat again and it should be successful.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

How to investigate C2/Generic-C Detection

This article describes the steps to quickly identify the source of a C2/Generic-C alert on an Endpoint by investigating on the Sophos XG Firewall.

The following sections are covered:

Applies to the following Sophos products and versions

Central Mac Endpoint

Central Windows Endpoint

Sophos Central Managed Server 1.5.6

Sophos XG Firewall

C2/Generic Detection Explained article explains the types of C2/Generic-* detection Sophos products can generate.

If a machine goes into a Bad Health state on the Central Dashboard due to a C2/Generic-C detection it will show up in Events:

Note that the XG Firewall detected a communication attempt from an endpoint towards a known malicious website and not the Sophos Endpoint present on the machine. As soon as it detected this communication, it blocked the connection, flagged a C2/Generic-A on the XG firewall and passed this information via Heartbeat to the endpoint. A C2/Generic-C on the endpoint is the ultimate result of this process.

The Events on the Central Dashboard or Sophos logs on the endpoint may not help you to find out what triggered this detection.

The clue lies on the XG Firewall. Open your XG Dashboard and navigate to Monitor and Analyze > Reports > Networks and Threats.

Filter by Advanced Threat Protection and the date of the detection events:

This area helps us understand more about the detection.

IP of the Machine which caused the detection: ***.***.12.134

DNS server configured on the machine: ***.***.11.10

If you look closely at the Event Last Seen column, the time difference between the alerts are minimal. This proves that the endpoint had requested a DNS resolution of this malicious URL towards the DNS server. The resolution request from the DNS server was intercepted by the XG firewall and blocked. The IPS module of the XG also intercepted a malicious connection attempt from the machine.

On the Central Dashboard, if we further check the Events on the machine, we could see several URLs bypassed by the user:

Although the redacted URL above isn’t the same as the one categorized by us as a malicious website, we can deduce a conclusion based on the Top Level Domain in picture here which is .cz.

So it’s safe to assume that a user might have unknowingly landed on a webpage which resulted in this DNS resolution of a known malicious website.

  • Sophos advises to have a good Web Filtering solution in-place at the perimeter because the Endpoint Web Control protects you with basic security most of which revolves around their Categorization. If you’re actively using Endpoint Web Control, we advise configuration changes to only allow Productivity related categories.
  • A full system scan on the endpoint to ensure that there are no malware remnants followed by a reboot.
  • Go to Central Dashboard > Machine > Status > The Alert can be Mark as Resolved.

Note: This was a demonstration of quite a simple scenario. There could be potentially advanced attacks which the XG may be mitigating but this article serves as a base-line for IT administrators to kick-off their investigation. If the alerts persist on the XG or the Central Dashboard, please contact Sophos Support.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

  • No Related Posts

Sophos Anti-Virus for Linux: System requirements

This article lists the system requirements of the Sophos Anti-Virus for Linux for Sophos Central, Sophos Enterprise Console and the standalone versions.

The following sections are covered:

Applies to the following Sophos products and versions

Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux 10

Sophos Anti-Virus for Linux 10 offers additional capabilities which include Malicious Traffic Detection and Sophos Security Heartbeat™ (applies to Central Server Protection Advanced licenses only).

Here is the list of its minimum system requirements:

Sophos Anti-Virus for Linux 9

Sophos Anti-Virus for Linux 9 is the only version available for the standalone and Enterprise Console-managed versions.

Here is the list of its minimum system requirements:

  • Supported Distributions (latest minor point or LTS version):
    • Amazon Linux, Amazon Linux 2
    • CentOS 6/7
    • Debian 8/9
    • Novel Open Enterprise Server 2015 SP1
    • Oracle Linux 6/7
    • Red Hat Enterprise 6/7
      • Red Hat Enterprise Linux 6 32-bit version supported until Nov 30th 2020
    • SUSE 11/12/15
    • Ubuntu 14.04/16.04/18.04
  • System type:x86_64
  • Free disk space: 1 GB
  • Free Memory: 1 GB
  • Stack sizes: Non-default stack sizes are not supported.
  • Language version: English and Japanese (EUC and UTF-8). Shift JIS and JIS are not supported.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.

This is invaluable for us to ensure that we continually strive to give our customers the best information possible.

Related: