As containers are becoming more widely deployed on Linux Servers, the need for security is paramount to ensure any running containers have not been injected with malware.
Sophos Anti-Virus for Linux has been enhanced to improve detection of malware in Docker containers using on-access scanning and to improve the way in which detections in Docker containers are presented within the Sophos management consoles. Now, when a threat is identified within a Docker container, the threat report will state the path and hostname of the container. This will be displayed as container hostname=<hostname>.
This article details the addition of support for Docker containers within Sophos Anti-Virus for Linux.
Applies to the following Sophos products and versions
Sophos Anti-Virus for Linux 10
Sophos Anti-Virus for Linux 9
Threat detection within Docker containers has been available since the following versions of Sophos Anti-Virus for Linux:
- Sophos Anti-Virus for Linux version 9.13.0 and later
- Central-managed Sophos Anti-Virus for Linux version 10.1.1 and later
For Sophos Anti-Virus for Linux to detect threats in Docker containers, the Talpa on-access driver must be used. The Fanotify kernel interface does not support scanning inside containers.
A recent, supported version of Docker will need to be installed and configured, preferably from the operating system vendor’s package repositories.
The Sophos Anti-Virus for Linux Docker scanning functionality is available on supported releases of the following platforms:
- Red Hat Enterprise Linux 7 – Server
- CentOS 7
- Oracle Linux 7
- Ubuntu 16.04 and 18.04
- SUSE Linux Enterprise Server 12 and 15
For more information on Sophos Anti-virus for Linux, take a look at the knowledge base article Endpoint Security and Control: Retirement calendar for supported platforms and operating systems.
From the Docker website:
When antivirus software scans files used by Docker, these files may be locked in a way that causes Docker commands to hang.
One way to reduce these problems is to add the Docker data directory (
/var/lib/docker on Linux,
%ProgramData%docker on Windows Server, or
$HOME/Library/Containers/com.docker.docker/ on Mac) to the antivirus’s exclusion list. However, this comes with the trade-off that viruses or malware in Docker images, writable layers of containers, or volumes are not detected. If you do choose to exclude Docker’s data directory from background virus scanning, you may want to schedule a recurring task that stops Docker, scans the data directory, and restarts Docker.
For more information on what operating systems that Docker support, take a look at its Compatibility Matrix.
Note: In Sophos Anti-Virus for Linux, exclusions; a directory is defined with a trailing “/” so in the above example, the exclusion would be “/var/lib/docker/”.
If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable for us to ensure that we continually strive to give our customers the best information possible.