# Sophos Linux Anti-Virus Notes ## Introduction A variety of tools are available from Sophos, including [Linux AV](https://secure2.sophos.com/en-us/products/free-tools.aspx) Sophos Anti-Virus for Linux configuration guide with instructions: [Guide](https://docs.sophos.com/esg/SAV-Linux/help/en-us/PDF/sav_linux_cg.pdf) # Installation Prerequisites ``` yum install kernel-devel Wget file sav-linux-free-9.tgz Untar file tar -xvzf sav-linux-free-9.tgz #auto install no prompts target Sophos for updates. Installation takes quite a while. ./install.sh /opt/sophos-av --acceptlicence --autostart=False --enableOnBoot=False --automatic --update-source-type=s #Enable on-access scanning ./install.sh /opt/sophos-av --acceptlicence --autostart=True --enableOnBoot=True --automatic --update-type=s --enableOnAccess=True #enable auto updating with free version and with on-access scanning ./install.sh /opt/sophos-av --acceptlicense --autostart=True --enableOnBoot=True --sophos --automatic --update-type=s --update-free=True --enableOnAccess=True --live-protection=False #working free! ./install.sh /opt/sophos-av --acceptlicense --autostart=True --enableOnBoot=True --sophos --update-type=s --enableOnAccess=True --update-free=True #working, but can’t get automatic to work with free /root/sophos-av/install.sh /opt/sophos-av --acceptlicense --autostart=True --enableOnBoot=True --update-type=s --enableOnAccess=True --update-free=True --sophos #required post installation setup for updates /opt/sophos-av/bin/savsetup ``` Additional settings for [How to package with mkinstpkg under Linux](https://community.sophos.com/on-premise-endpoint/f/sophos-endpoint-software/73918/how-to-package-with-mkinstpkg-under-linux-because-i-find-hard) # Build Binary (deb/rpm) ``` yum install rpm-build rpm /opt/sophos-av/update/ ./mkinstpkg -r --sophos --rpm-version=0.1 --rpm-release=0.1 --update-type=s ``` Commandline: --enableSavProtectOnBoot=True --update-free=True --update-source-username=FAVLvRQL133F0 --update-source-password=k5va9rpkv5i --instdir=/opt/sophos-av --update-cache-path=/opt/sophos-av/update/cache/Primary --update-type=s --update-source-path=sophos: --acceptlicence=True --enableRMS=false --automatic=True --enableOnAccess=true --update-period-minutes=60 RPM package is `/opt/sophos-av/update/savinstpkg-0.1-0.1.x86_64.rpm` If you get this error: ``` ./install.sh: line 34: /tmp/sophos_distribution_N53lTic/exectest: Permission denied Cannot execute files within /tmp directory. ``` Please see [KBA 131783](https://support.sophos.com/support/s/article/KB-000037998?language=en_US) Option 1 Then run this command to temporarily adjust the `/tmp noexec` ``` mount -o remount,exec /tmp ``` Then run the above `install.sh` command again. Once finished, run this command to turn it back on. ``` mount -o remount,noexec /tmp ``` Option 2 ``` export TMPDIR=/var/tmp ``` Option 3 ``` mkdir /root/tmp export TMPDIR=/root/tmp #Uninstall /opt/sophos-av/uninstall.sh #Configuration #Edit or query configurations /opt/sophos-av/bin/savconfig /opt/sophos-av/bin/savconfig --all ``` View Update source information: `/opt/sophos-av/bin/savsetup` As for pulling updates, normally standalone machines will update directly from Sophos through an internet line, but they can be configured to pull updates from other locations such as an Update Manager if you were to have a SEC deployment. If you are looking to limit internet bandwidth or restrict internet access, a workaround that may work is to have one Linux and one UNIX machine with Sophos installed that can reach out to the internet to pull updates. Set up an SMB share for `/opt/sophos-av/update/cache/Primary/` and configure the other Linux/UNIX machines update from this SMB share. Logs are located at `/opt/sophos-av/log` # Manually Update This will update signatures and engine `/opt/sophos-av/bin/savupdate` # Scheduled Scan See the example at `/opt/sophos-av/doc/namedscan.example.en` See PDF for additional instructions: `/opt/sophos-av/bin/savconfig add NamedScans Daily /home/fred/DailyScan` ``` Exclude dirs ExcludePath ^/proc/ ExcludePath ^/sys/ ExcludePath ^/dev/ ExcludePath ^/etc/gshadow- ExcludePath ^/etc/shadow- ExcludePath ^/etc/shadow ExcludePath ^/etc/gshadow ExcludePath ^/etc/selinux/* ExcludePath ^/etc/audit/* ExcludePath ^/etc/security/* ExcludePath ^/var/log/audit/* ExcludePath ^/etc/krb5.keytab ``` User `clamscan` # Usage ``` #View logs /opt/sophos-av/bin/savlog /opt/sophos-av/bin/savlog --systemLog #Log file for Splunk cat /opt/sophos-av/log/savd.log #Logs are also pushed to internal syslog and `/opt/sophos-av/log/savd.log` tail -200 /var/log/messages | grep savd #View status /opt/sophos-av/bin/savdstatus #Manage the service /opt/sophos-av/bin/savdctl #Start on demand scan savscan /. savscan /home/brad ``` EICAR test file .com file can be used for on-access scan testing. And eicar.txt can be used for on-demand scan testing. eicar.com/eicar.txt X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* http://www.eicar.org/download/eicar.com