Sophos Anti-Virus for linux v6 User Manual [nl]

Sophos Anti-Virus for Linux, version 6
user manual
Document date: August 2008
User manual
About this manual
virus/spyware scanning
virus/spyware alerts
cleanup
logging
updating.
The manual also provides help in resolving common problems.
If you want to install, upgrade, or uninstall Sophos Anti-Virus on networked and single Linux computers, refer to the Sophos Anti-Virus for Linux, version 6 startup guide.
If you want to install Sophos Anti-Virus on a mixed Linux and Windows network, or you want to centrally manage Sophos Anti-Virus using Sophos Enterprise Console, refer to the Sophos Endpoint Security and Control network startup guide.
If you want to upgrade Sophos Anti-Virus version 5 and you are using EM Library, refer to the Sophos Endpoint Security and Control network upgrade guide.
Sophos documentation is published at www.sophos.com/support/docs/ and on the Sophos CDs.
2

Contents

Conventions used in this manual 5
Using Sophos Anti-Virus
1 About Sophos Anti-Virus for Linux 8
2 Running on-access scanning 11
3 Running on-demand scans 14
4 What happens if viruses/spyware are found? 17
5 Cleaning up viruses/spyware 19
Sophos Anti-Virus for Linux, version 6
6 Viewing the logs 22
Configuring Sophos Anti-Virus
7 Overview of configuration 26
8 Configuring on-access scanning 32
9 Configuring on-demand scanning 40
10 Configuring alerts 50
11 Configuring the Sophos Anti-Virus log 58
12 Configuring the Sophos Anti-Virus GUI 59
Updating Sophos Anti-Virus
13 Updating Sophos Anti-Virus immediately 62
14 Kernel support 63
15 Configuring updating 64
Troubleshooting
16 Troubleshooting 70
3
User manual
Glossary and index
Glossary 76
Index 80
Technical support 82
Copyright 83
4

Conventions used in this manual

Where command-line input continues over more than one line, subsequent lines are shown indented, for example
/opt/sophos-av/bin/savconfig remove ExcludeFilesLike
/home/fred/Report.txt
You should type what is printed without inserting a line break.
Sophos Anti-Virus for Linux, version 6
5
User manual
6

Using Sophos Anti-Virus

About Sophos Anti-Virus for Linux
Running on-access scanning
Running on-demand scans
What happens if viruses/spyware are found?
Cleaning up viruses/spyware
Viewing the logs
User manual

1 About Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux enables you to protect your network from viruses/spyware.
1.1 User interfaces
Sophos Anti-Virus has
a command line user interface
a graphical user interface (GUI).
The command line enables you to access all the Sophos Anti-Virus functionality and to perform all configuration. The command line is the only way to use and configure on-demand scanning and updating.
You must have root privileges to use all Sophos Anti-Virus commands except savscan, which is used for on-demand scanning.
This manual assumes that you have installed Sophos Anti-Virus in the default location. Therefore, the paths of the commands described are based on this location.
The Sophos Anti-Virus GUI enables you to
check the status of on-access scanning
start and stop on-access scanning
configure archive scanning
configure what is excluded from scanning
configure alerts
view the Sophos Anti-Virus log
configure cleanup.
Although the GUI can be run by the root user (as well as other users), it doesn’t run with root privileges. Therefore, it can’t access all files on the computer.
To use the GUI, open a browser. In the address text box, type
http://localhost:8081
If you want to use a different http port in the address, configure the GUI as explained in section 12.
8
Sophos Anti-Virus for Linux, version 6
The browser displays the home page of the GUI.
When you browse to another page, the browser asks you for credentials so that you can use the GUI to configure Sophos Anti-Virus.
To find out your username, either ask your system administrator or, at the command line, type
/opt/sophos-av/bin/savconfig query HttpUsername
To find out your password, ask your system administrator.
To change your credentials, refer to section 12.
9
User manual
1.2 Scanning modes
Sophos Anti-Virus has two modes of scanning:
on-access
on-demand.
On-access scanning intercepts files as they are accessed, and grants access to only those that do not pose a threat to your network.
An on-demand scan is a virus/spyware scan of the computer, or parts of the computer, that you can run immediately or schedule to run at another time.
1.3 Integration with management console
Sophos Anti-Virus is integrated with Sophos Enterprise Console, which runs on Windows and enables network administrators to centrally manage Sophos Anti-Virus on endpoints.
10

2 Running on-access scanning

On-access scanning intercepts files as they are accessed, and grants access
to only those that do not pose a threat to your network.
This section tells you how to use on-access scanning. To configure it, refer to section 8.
2.1 Checking on-access scanning is active
Command line
Type
/opt/sophos-av/bin/savdstatus
Sophos Anti-Virus displays the status of on-access scanning.
Sophos Anti-Virus for Linux, version 6
GUI
On each page, in the Status panel, the status of on-access scanning is displayed.
2.2 Checking on-access scanning will be started automatically on system boot
Command line
Assuming that you have root privileges, type
chkconfig --list
This command might not work on TurboLinux.
11
User manual
If the list contains an entry for sav-protect with 2:on, 3:on, 4:on and 5:on, on-access scanning will be started automatically on system boot.
Otherwise, to start on-access scanning automatically on system boot, type
/opt/sophos-av/bin/savdctl enableOnBoot savd
GUI
On the Control page, in the Startup panel, see if the check box labeled Start on-access scanning on system boot is selected. If it is not, select it to
start on-access scanning automatically on system boot. Click Set to apply the change.
2.3 Starting on-access scanning
Command line
Type
/opt/sophos-av/bin/savdctl enable
GUI
On the Control page, in the Control panel, click Enable On-access Scanning.
12
2.4 Stopping on-access scanning
Command line
Type
/opt/sophos-av/bin/savdctl disable
GUI
On the Control page, in the Control panel, click Disable On-access Scanning.
Sophos Anti-Virus for Linux, version 6
13
User manual

3 Running on-demand scans

An on-demand scan is a virus/spyware scan of the computer, or parts of the computer, that you can run immediately or schedule to run at another time.
By default, Sophos Anti-Virus scans
Windows/DOS executables
.sh and .pl files
files of a type that can be infected by macro viruses
HTML files
files compressed with PKLite, LZEXE and Diet
directories below the one specified
items pointed to by symbolic links.
For a full list of the file types scanned, type
savscan -vv
For information on changing these settings, see section 9.
3.1 Scanning the computer
To scan the computer, type
savscan /
3.2 Scanning a particular directory or file
To scan a particular directory or file, use the path of the item to be scanned, for example
savscan /usr/mydirectory/myfile
3.3 Scanning a filesystem
To scan a filesystem, use the name of the filesystem, for example
savscan /home
More than one filesystem can be entered at the command line.
14
3.4 Scanning a boot sector
You can scan boot sectors of logical and physical drives.
To scan boot sectors, log in as superuser (to get sufficient permission to access the disk devices) and then use one of the commands shown below.
To scan the boot sectors of specified logical drives, type
savscan -bs=XXX, XXX, ...
where XXX is the name of a drive (for example /dev/fd0 or /dev/hda1).
To scan boot sectors for all logical drives that Sophos Anti-Virus recognises, type
savscan -bs
To scan the master boot records for all the fixed physical drives on the computer, type
Sophos Anti-Virus for Linux, version 6
savscan -mbr
3.5 Scheduling a scan
To scan the computer at set times automatically, use the crontab facility. For more information, refer to Sophos support knowledgebase article 12176 (www.sophos.com/support/knowledgebase/article/12176.html).
3.6 Error codes
savscan returns error codes if there is an error or if viruses or spyware are found.
0 If no errors are encountered and no viruses/spyware are found.
1 If the user interrupts the execution by pressing ‘Ctrl’+‘c’.
2 If some error preventing further execution of a scan is discovered.
3 If viruses/spyware or virus fragments are discovered.
15
User manual
3.6.1 Extended error codes
A different set of error codes are returned if the savscan command is run with the -eec option.
0 If no errors are encountered and no viruses/spyware are found.
8 If survivable errors have occurred.
16 If password-protected files have been found. (They are not scanned.)
20 If viruses/spyware have been found and disinfected.
24 If viruses/spyware have been found and not disinfected.
28 If viruses/spyware have been found in memory.
32 If there has been an integrity check failure.
36 If unsurvivable errors have occurred.
40 If execution has been interrupted.
16
Sophos Anti-Virus for Linux, version 6

4 What happens if viruses/spyware are found?

4.1 If viruses/spyware are found during on-access scanning
If Sophos Anti-Virus finds a virus or item of spyware during an on-access scan, it denies access to the file and displays a message box like the one shown below.
If the message box cannot be displayed, the alert is shown at the command line.
Sophos Anti-Virus also logs the event in the Sophos Anti-Virus log, and sends an alert to Enterprise Console if this is managing the computer.
Refer to section 5 for information on cleaning up viruses/spyware.
17
User manual
4.2 If viruses/spyware are found when you run an on-demand scan
If Sophos Anti-Virus finds a virus or item of spyware, it reports it on the line which starts with >>> followed by either “Virus” or “Virus Fragment”:
SAVScan virus detection utility Version X.XX.XX [Linux/Intel] Virus data version X.XX, February 2007 Includes detection for 201433 viruses, trojans and worms Copyright (c) 1989-2007 Sophos Plc, www.sophos.com
System time 10:23:49, System date 11 February 2007 Quick Scanning
>>> Virus 'EICAR-AV-Test' found in file /usr/mydirectory/eicar.src
33 files scanned in 2 seconds. 1 virus was discovered. 1 file out of 33 was infected. Please send infected samples to Sophos for analysis. For advice consult www.sophos.com, email support@sophos.com or telephone +44 1235 559933 End of Scan.
Sophos Anti-Virus also logs the event in the Sophos Anti-Virus log.
Refer to section 5 for information on cleaning up viruses/spyware.
18

5 Cleaning up viruses/spyware

5.1 Getting cleanup information
If viruses/spyware are reported, you can get information and cleanup advice from the Sophos website. Go to the threat analyses page (www.sophos.com/security/analyses). Search for the analysis of the virus or item of spyware, by using the name that was reported by Sophos Anti-Virus.
5.2 Quarantining infected files
You can configure Sophos Anti-Virus to put infected files into quarantine (i.e. to prevent them from being accessed). It does this by changing the ownership and permissions for the file.
Sophos Anti-Virus for Linux, version 6
To specify quarantining, type
savscan PATH --quarantine
where PATH is the path to be scanned.
By default, Sophos Anti-Virus changes
the user ownership of an infected file to the user running Sophos
Anti-Virus
the group ownership of the file to the group to which that user belongs
the file permissions to -r -------- (0400).
If you prefer, you can change the user or group ownership and file permissions that Sophos Anti-Virus applies to infected files. You do so by using these parameters:
uid=NNN user=USERNAME gid=NNN group=GROUP-NAME mode=PPP
You cannot specify more than one parameter of each type, e.g. you cannot enter the same username twice, or enter a uid and a username.
For each parameter you do not specify, the default setting (as given above) is used.
For example:
19
User manual
savscan fred --quarantine:user=virus,group=virus,mode=0400
will change an infected file’s user ownership to virus, the group ownership to virus, and the file permissions to -r--------. This means the file is owned by the user virus and group virus, but only the user virus can access the file (and only for reading). No one else can do anything to the file (apart from root).
If you specify disinfection (refer to section 5.3) as well as quarantining, Sophos Anti-Virus attempts to disinfect infected items and quarantines them only if disinfection fails.
5.3 Setting up automatic cleanup for on-demand scanning
Sophos Anti-Virus can disinfect or delete infected items automatically, when you run an on-demand scan. Any actions that Sophos Anti-Virus takes against infected items are listed in the scan summary and logged in the Sophos Anti-Virus log. By default, automatic cleanup is disabled.
The method you use depends on whether you want to clean up a file or a boot sector.
5.3.1 Cleaning up files
To disinfect a specific file, type
savscan FILE-PATH -di
Alternatively, to disinfect all files on the computer, type
savscan / -di
In either case, Sophos Anti-Virus asks for confirmation before it disinfects.
Disinfection of documents does not repair any changes the virus has made in the document. (Refer to section 5.1 to find out how to view details on the Sophos website of the virus’s side-effects.)
To delete a specific infected file, type
savscan FILE-PATH -remove
Alternatively, to delete all infected files on the computer, type
20
savscan / -remove
In either case, Sophos Anti-Virus asks for confirmation before it deletes.
5.3.2 Disinfecting a boot sector
To disinfect a boot sector, type
savscan -bs=XXX -di
where XXX is the name of a drive.
For example, to eliminate a virus in the floppy drive, type
savscan -bs=/dev/fd0 -di
5.4 Recovering from virus side-effects
Recovery from virus infection depends on how the virus infected the computer. Some viruses leave you with no side-effects to deal with, others may have such extreme side-effects that you have to restore a hard disk in order to recover.
Sophos Anti-Virus for Linux, version 6
Some viruses gradually make minor changes to data. This type of corruption can be hard to detect. It is therefore very important that you read the virus analysis on the Sophos website, and check documents carefully after disinfection.
Sound backups are crucial. If you did not have them before you were infected, start keeping them in case of future infections.
Sometimes you can recover data from disks damaged by a virus. Sophos can supply utilities for repairing the damage caused by some viruses. Contact Sophos technical support for advice.
21
User manual

6 Viewing the logs

Sophos Anti-Virus logs details of scanning activity in the Sophos Anti-Virus log and syslog. In addition, virus/spyware and error events are logged in the Sophos Anti-Virus log. Messages in the Sophos Anti-Virus log are translated into the languages that the product supports.
Command line
Use the command savlog. This can be used with various command-line options to restrict the output to certain messages and control the display. For example, to display all messages logged to the Sophos Anti-Virus log in the last 24 hours, and to display the date and time in UTC/ISO 8601 format, type
/opt/sophos-av/bin/savlog --today --utc
To see a complete list of the options that can be used with savlog, type
man savlog
22
GUI
Go to the Log Viewer page.
Sophos Anti-Virus for Linux, version 6
Using the text boxes and radio buttons in the Log Selection panel, specify the messages that you want to display. Then click View Log to display the messages in the Log Contents panel.
23
User manual
24

Configuring Sophos Anti-Virus

Overview of configuration
Configuring on-access scanning
Configuring on-demand scanning
Configuring alerts
Configuring the Sophos Anti-Virus log
Configuring the Sophos Anti-Virus GUI
User manual

7 Overview of configuration

This section applies to all configuration except that for on-demand scanning, which is explained in section 9. Use of Sophos Enterprise Console or the commands savconfig or savsetup has no effect on on-demand scanning.
7.1 Console-based configuration of Sophos Anti-Virus across a
network
You can manage version 6 of Sophos Anti-Virus on endpoints using Enterprise Console, which runs on Windows. It enables you to perform most configuration using a user-friendly GUI. Installation of the console is described in the Sophos Endpoint Security and Control network startup guide, published at www.sophos.com/support/docs/ and on the Sophos CDs.
For more information on using the console to configure Sophos Anti-Virus, refer to the console help. Also, if you use the console, the following apply concerning configuration:
Parameters that cannot be set using the console can be set on each
endpoint locally, using savconfig (section 7.4). These parameters are ignored by the console.
Auto-updating is configured using only the console: it can’t be configured
on the endpoint.
Sophos does not support the use of console-based and CID-based configuration, formerly known as corporate configuration, together. If you used CID-based configuration with version 5 of Sophos Anti-Virus, you must choose whether to continue using this or to start using Enterprise Console instead. If you choose to start using Enterprise Console, refer to Sophos support knowledgebase article 22297 (www.sophos.com/support/knowledgebase/article/22297.html).
7.2 CID-based configuration of Sophos Anti-Virus across a network
26
Central installation directory (CID)-based configuration, formerly known as corporate configuration, doesn’t require a Windows computer. It involves making changes to a configuration file that is stored in the CID, by setting the values of parameters using the command savconfig (section 7.4). Then, when endpoints update from the CID, they use this configuration. You can also lock any parameters so that they can’t be modified on endpoints. In this way, you can determine the configuration of Sophos Anti-Virus on each endpoint, without fear that the settings will be changed by an endpoint user.
Sophos Anti-Virus for Linux, version 6
There are two configuration files: the live configuration file in the CID and the offline configuration file stored elsewhere. When you want to change the live file, you change the offline file, and use a program to replace the live file with the offline file.
7.2.1 Creating the live configuration file in the CID
1. Create the offline configuration file in a directory of your choice other than
the CID. You must use the command savconfig, and specify
the name of the offline file, including the filename extension cfg
that you are accessing the Corporate layer of the file (for more
information on layers, refer to section 7.2.3)
the setting of a parameter.
Use the following syntax:
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set PARAMETER VALUE
where CONFIG-FILE is the path of the offline file, -c indicates that you want to access the Corporate layer, “set” indicates that you want to set the value of a parameter, PARAMETER is the parameter that you want to set and VALUE is the value to which you want to set the parameter. For example, to create a file called CIDconfig.cfg and to start on-access scanning when the Sophos Anti-Virus daemon is started, type
/opt/sophos-av/bin/savconfig -f CIDconfig.cfg -c set EnableOnStart
Enabled
For information on using savconfig, refer to section 7.4.
2. Set other parameters, as necessary, using the command savconfig. You must
specify the name of the offline file and that you are accessing the Corporate layer, as above.
3. To view the settings of parameters, use the query operation. You can view
the setting of an individual parameter or all parameters. For example, to view the settings of all the parameters that you have set, type
/opt/sophos-av/bin/savconfig -f CIDconfig.cfg -c query
4. When you have finished setting parameters, run the addcfg utility to copy
the configuration to the CID, ready for endpoints to download when they next update. The utility is in the CID. Depending on where the CID is, type
/opt/sophos-av/update/cache/Primary/addcfg.sh -f CONFIG-FILE
where CONFIG-FILE is the path of the offline file.
27
User manual
7.2.2 Updating the live configuration file in the CID
1. Update the offline configuration file. You must use the command savconfig,
and specify
the name of the offline file
that you are accessing the Corporate layer of the file (for more
information on layers, refer to section 7.2.3)
the setting of a parameter.
Use the following syntax:
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set PARAMETER VALUE
where CONFIG-FILE is the path of the offline file, -c indicates that you want to access the Corporate layer, “set” indicates that you want to set the value of a parameter, PARAMETER is the parameter that you want to set and VALUE is the value to which you want to set the parameter. For example, to update a file called CIDconfig.cfg and to start on-access scanning when the Sophos Anti-Virus daemon is started, type
/opt/sophos-av/bin/savconfig -f CIDconfig.cfg -c set EnableOnStart
Enabled
For information on using savconfig, refer to section 7.4.
2. Set other parameters, as necessary, using the command savconfig. You must
specify the name of the offline file and that you are accessing the Corporate layer, as above.
3. To view the settings of parameters, use the query operation. You can view
the setting of an individual parameter or all parameters. For example, to view the settings of all the parameters that you have set, type
/opt/sophos-av/bin/savconfig -f CIDconfig.cfg -c query
4. When you have finished setting parameters, run the addcfg utility to copy
the configuration to the CID, ready for endpoints to download when they next update. The utility is in the CID. Depending on where the CID is, type
/opt/sophos-av/update/cache/Primary/addcfg.sh -fCONFIG-FILE
where CONFIG-FILE is the path of the offline file.
7.2.3 Configuration layers
Each installation of Sophos Anti-Virus includes a local configuration file, which includes settings for all parts of Sophos Anti-Virus.
Each local configuration file contains a number of layers:
28
Sophos Anti-Virus for Linux, version 6
Sophos: This is always present in the file. It includes the factory settings,
which are changed only by Sophos.
Corporate: This is present if the installation is configured from the central
installation directory (CID), as described in sections 7.2.1 and 7.2.2.
User: This is present if any local configuration is performed. It includes
settings that apply only to the installation on this computer.
Each layer uses the same parameters, so that the same parameter can be set in more than one layer. However, when Sophos Anti-Virus checks the value of a parameter, it does so according to the layer hierarchy:
By default, Corporate layer overrides User layer.
Corporate and User layers override Sophos layer.
For example, if a parameter is set in the User layer and the Corporate layer, the value in the Corporate layer is used. Nevertheless, you can unlock the values of individual parameters in the Corporate layer, so that they can be overridden.
When the local configuration file is updated from the configuration file in the CID, the Corporate layer in the local file is replaced by that of the file in the CID.
7.3 Configuration of Sophos Anti-Virus on a single computer
Use the command savconfig to perform configuration on a single computer. For information on using savconfig, refer to section 7.4. By default, savconfig applies configuration to the User layer of the local configuration file.
7.4 savconfig configuration command
savconfig is the command that you use to set or query configuration of Sophos Anti-Virus. The path of the command is /opt/sophos-av/bin. Using the command to configure specific functions of Sophos Anti-Virus is explained in the remainder of this manual. The rest of this subsection explains the syntax.
The syntax of savconfig is
savconfig [OPTION] ... [OPERATION] [PARAMETER] [VALUE] ...
29
User manual
7.4.1 OPTION
To view a complete list of the options, operations and parameters, type
man savconfig
However, the following is an overview.
You can specify one or more options. The options are mainly associated with the layers in the local configuration files in each installation. For information on layers, refer to section 7.2.3. By default, the command accesses the User layer. Therefore, if you want to access the Corporate layer for example, use the option -c or --corporate.
By default, the values of parameters in the Corporate layer are locked, so that they override values in the User layer. However, if you want to allow a corporate setting to be overridden by users, use the option --nolock. For example, to set the value of LogMaxSizeMB and allow it to be overridden, type
/opt/sophos-av/bin/savconfig --nolock -f corpconfig.cfg -c
LogMaxSizeMB 50
If you are using Enterprise Console, you can display just the values of the anti-virus policy parameters, by using the option --consoleav. For example, type
/opt/sophos-av/bin/savconfig --consoleav query
Also, you can display just the values of the console update policy, by using the option --consoleupdate. For example, type
/opt/sophos-av/bin/savconfig --consoleupdate query
7.4.2 OPERATION
You can specify one operation. The operations are mainly associated with how you want to access a parameter. Some parameters can have only one value but others can have a list of values. Therefore, the operations enable you to add values to a list or remove values from a list. For example, the CacheFilesystems parameter is a list of filesystem types.
To display the values of parameters, use the operation query. For example, to display the value of the ExcludeFileOnGlob parameter, type
30
/opt/sophos-av/bin/savconfig query ExcludeFileOnGlob
If you are using Enterprise Console, when savconfig returns values of parameters, those that conflict with the relevant console policy are clearly marked with the word “Conflict”.
7.4.3 PARAMETER
You can specify one parameter. To list all the basic parameters that can be set, type
/opt/sophos-av/bin/savconfig -v
Some parameters require secondary parameters to be specified as well.
7.4.4 VALUE
You can specify one or more values that will be assigned to a parameter. If a value contains spaces, you must enclose it in single quotes.
7.5 savsetup configuration command
savsetup is the utility that you use to set or query configuration of updating and the Sophos Anti-Virus GUI. Although it enables you to access only some of the parameters that you can access with savconfig, it is easier to use. It prompts you for values of parameters, and you simply respond by selecting or typing the values. To run savsetup, type
Sophos Anti-Virus for Linux, version 6
/opt/sophos-av/bin/savsetup
When you run savsetup, it gives you a choice of configuration: updating or the Sophos Anti-Virus GUI. Enter the appropriate number to make your choice. Continue by responding to the questions that are displayed.
31
User manual

8 Configuring on-access scanning

If you are configuring a single computer that is on a network, such configuration might be discarded if the computer downloads a new console­based or CID-based configuration.
8.1 Excluding files and directories from scanning
You can exclude files and directories from scanning in several ways:
using file or directory name (section 8.1.1)
using file type (section 8.1.2)
using wildcards (section 8.1.3).
If you want to exclude files and directories whose names are encoded using non-UTF-8, refer to section 8.1.4.
8.1.1 Using file or directory name
If you are using Enterprise Console, and you have an anti-virus policy that specifies exclusions using file or directory name, any such exclusions that you set on an endpoint locally cause the console to show the endpoint as not complying with policy. The console user can then force the endpoint to comply with policy, thus discarding the locally set exclusion.
Command line
To exclude a particular file or directory, use the ExcludeFilePaths parameter. For example, to add the file /tmp/report to the list of files and directories to exclude, type
/opt/sophos-av/bin/savconfig add ExcludeFilePaths /tmp/report
To remove an exclusion from the list, use the remove operation. For example, type
/opt/sophos-av/bin/savconfig remove ExcludeFilePaths /tmp/report
GUI
32
To exclude a particular file or directory, on the Exclusion Configuration page, in the File Scanning Exclusions panel, type the path in the text box labeled
Sophos Anti-Virus for Linux, version 6
Files or directories (with or without wildcards). Click Add New Entry to add the path to the list.
To remove an exclusion from the list, select the exclusion and click Remove
Selected Entry.
8.1.2 Using file type
Specifying exclusions in this way means that scanning is less efficient than if you specify exclusions using file or directory name, wildcards or regular expressions.
Command line
To exclude files that are the same type as a specific file, use the ExcludeFilesLike parameter. For example, to add the type of the file Report.txt to the list of file types to exclude, type
/opt/sophos-av/bin/savconfig add ExcludeFilesLike
/home/fred/Report.txt
To remove an exclusion from the list, use the remove operation. For example, type
/opt/sophos-av/bin/savconfig remove ExcludeFilesLike
/home/fred/Report.txt
To exclude files that are of a specific type, use the ExcludeFileOnType parameter. The file type must be a value that is returned by the file command. (For more information on the file command, type man file.) For example, to add files of type ASCII text to the list of file types to exclude, type
/opt/sophos-av/bin/savconfig add ExcludeFileOnType 'ASCII text'
To remove an exclusion from the list, use the remove operation. For example, type
/opt/sophos-av/bin/savconfig remove ExcludeFileOnType 'ASCII text'
33
User manual
Sophos Anti-Virus performs partial matching of file types. Thus, it excludes all file types that match the specified file type up to the number of characters in the specified file type, starting from the left. For example, 'TIFF' excludes all types of TIFF file, but 'TIFF image data, little-endian' excludes only certain types of TIFF file.
GUI
To exclude files that are the same type as a specific file, on the Exclusion Configuration page, in the File Scanning Exclusions panel, type the path of
the file in the text box labeled File type of this file. Click Add New Entry to add the file type to the list of file types to exclude.
To exclude files that are of a specific type, on the Exclusion Configuration page, in the File Scanning Exclusions panel, type the file type in the text box labeled File type as returned by the ‘file’ command. (For more information on the file command, type man file.) Click Add New Entry to add the file type to the list.
34
Sophos Anti-Virus for Linux, version 6
To remove an exclusion from the list, select the exclusion and click Remove Selected Entry.
Sophos Anti-Virus performs partial matching of file types. Thus, it excludes all file types that match the specified file type up to the number of characters in the specified file type, starting from the left. For example, 'TIFF' excludes all types of TIFF file, but 'TIFF image data, little-endian' excludes only certain types of TIFF file.
8.1.3 Using wildcards
If you are using Enterprise Console, and you have an anti-virus policy that specifies exclusions using wildcards, any such exclusions that you set on an endpoint locally cause the console to show the endpoint as not complying with policy. The console user can then force the endpoint to comply with policy, thus discarding the locally set exclusion.
Command line
To exclude files and directories by using wildcards, use the ExcludeFileOnGlob parameter. Valid wildcards are * which matches any number of any characters, and ? which matches any one character. For example, to add all text files in the /tmp directory to the list of files and directories to exclude, type
/opt/sophos-av/bin/savconfig add ExcludeFileOnGlob '/tmp/*.txt'
If you don’t enclose the expression with quotes, Linux expands the expression and passes the list of files to Sophos Anti-Virus. This is useful for excluding only files that exist already, and enabling files that are created later to be scanned. For example, to add just text files that exist already in the /tmp directory to the list, type
/opt/sophos-av/bin/savconfig add ExcludeFileOnGlob /tmp/*.txt
To remove an exclusion from the list, use the remove operation. For example, type
/opt/sophos-av/bin/savconfig remove ExcludeFileOnGlob
'/tmp/notes.txt'
GUI
To exclude files and directories by using wildcards, on the Exclusion Configuration page, in the File Scanning Exclusions panel, type the path in the text box labeled Files or directories (with or without wildcards). Valid
35
User manual
wildcards are * which matches any number of any characters, and ? which matches any one character. Click Add New Entry to add the path to the list.
To remove an exclusion from the list, select the exclusion and click Remove
Selected Entry.
8.1.4 Specifying character encoding of directory names and filenames
Linux enables you to name directories and files using any character encoding that you choose (e.g. UTF-8, EUC_jp). However, Sophos Anti-Virus stores exclusions only in UTF-8. Therefore, if you want to exclude directories and files from scanning whose names are encoded using non-UTF-8, you specify the exclusions in UTF-8, and specify the encodings using the ExclusionEncodings parameter. Then, the names of any directories or files that you exclude are evaluated in each of the encodings that you specified, and all matching directories and files are excluded. This applies to exclusions that have been specified using the ExcludeFilePaths and ExcludeFileOnGlob parameters. By default, UTF-8, EUC_jp, and ISO-8859-1 (Latin-1) are specified.
36
For example, if you want to exclude directories and files whose names are encoded in EUC_cn, you specify the names of the directories and files using the ExcludeFilePaths and/or the ExcludeFileOnGlob parameter. Then, you add EUC_cn to the list of encodings:
/opt/sophos-av/bin/savconfig add ExclusionEncodings EUC_cn
Then, Sophos Anti-Virus evaluates in UTF-8, EUC_jp, ISO-8859-1 (Latin-1), and EUC_cn all the directory names and filenames that you specified. It then excludes all directories and files whose names match.
8.2 Excluding filesystems from file scanning
Command line
To exclude filesystems from file scanning by using filesystem type, use the ExcludeFilesystems parameter. By default, no filesystem types are excluded. Valid filesystem types are listed in the file /proc/filesystems. For example, to add nfs to the list of filesystem types to exclude, type
/opt/sophos-av/bin/savconfig add ExcludeFilesystems nfs
To remove an exclusion from the list, use the remove operation. For example, type
/opt/sophos-av/bin/savconfig remove ExcludeFilesystems nfs
GUI
To exclude filesystems from file scanning by using filesystem type, on the Exclusion Configuration page, in the File Scanning Exclusions panel, click the drop-down arrow on the box labeled Filesystem types. Select one of the filesystem types in the list. Click Add New Entry to add the filesystem type to the list.
Sophos Anti-Virus for Linux, version 6
To remove an exclusion from the list, select the exclusion and click Remove Selected Entry.
8.3 Scanning within archives
Scanning within archive files makes scanning significantly slower and is rarely required. Even if you don’t enable the option, when you attempt to access a file extracted from an archive file, the extracted file is scanned.
Command line
To enable scanning within archives, type
/opt/sophos-av/bin/savconfig set ScanArchives enabled
To disable scanning within archives, type
/opt/sophos-av/bin/savconfig set ScanArchives disabled
37
User manual
GUI
To configure scanning within archives, go to the Scanning Configuration page, Archive Scanning panel.
Configure scanning within archives as described below. When you have done this, click Set to apply the changes. To undo any changes that you have made since you last clicked Set, click Cancel.
To enable scanning within archives, select the Scan inside archives check box.
To disable scanning within archives, clear the Scan inside archives check box.
8.4 Setting up automatic cleanup
Sophos Anti-Virus can disinfect or delete infected items automatically, when on-access scanning is running. Any actions that Sophos Anti-Virus takes against infected items are logged in the Sophos Anti-Virus log. By default, automatic cleanup is disabled.
Command line
To enable automatic disinfection of infected files and boot sectors, type
/opt/sophos-av/bin/savconfig add AutomaticAction disinfect
Disinfection of documents does not repair any changes the virus has made in the document. (Refer to section 5.1 to find out how to view details on the Sophos website of the virus’s side-effects.)
38
To disable automatic disinfection, type
/opt/sophos-av/bin/savconfig remove AutomaticAction disinfect
To enable automatic deletion of infected files, type
/opt/sophos-av/bin/savconfig add AutomaticAction delete
Sophos Anti-Virus for Linux, version 6
You should use this option only if advised to by Sophos technical support. If the infected file is a mailbox, Sophos Anti-Virus might delete the whole mailbox.
To disable automatic deletion, type
/opt/sophos-av/bin/savconfig remove AutomaticAction delete
You can enable both automatic deletion and disinfection, but Sophos doesn’t recommend it. If you do this, Sophos Anti-Virus first tries to disinfect the item. If disinfection fails, it deletes it.
GUI
To set up automatic cleanup, go to the Scanning page, Cleanup panel.
Configure cleanup as described below. When you have done this, click Set to apply the changes. To undo any changes that you have made since you last clicked Set, click Cancel.
To enable automatic disinfection of infected files and boot sectors, select the Automatically disinfect infected items check box. Disinfection of documents does not repair any changes the virus has made in the document. (Refer to
section 5.1 to find out how to view details on the Sophos website of the
virus’s side-effects.)
To enable automatic deletion of infected files, select the Automatically delete infected items check box.
You should use this option only if advised to by Sophos technical support. If the infected file is a mailbox, Sophos Anti-Virus might delete the whole mailbox.
You can enable both automatic deletion and disinfection, but Sophos doesn’t recommend it. If you do this, Sophos Anti-Virus first tries to disinfect the item. If disinfection fails, it deletes it.
39
User manual

9 Configuring on-demand scanning

In this section, where PATH appears in a command, it refers to the path to be scanned.
9.1 Scanning all file types
By default, Sophos Anti-Virus scans executable files only. To scan all files, irrespective of their type, type
savscan PATH -all
This takes longer than scanning only executables, and can compromise performance on servers. It can also cause false virus/spyware reports.
9.2 Scanning inside archives
Sophos Anti-Virus can scan inside archives if it is run with the -archive option.
savscan PATH -archive
Archive types that can be scanned include: ARJ, bzip2, CMZ, GZip, RAR, RPM, BZTAR, Zip.
Archives ‘nested’ within other archives (e.g. a TAR archive within a Zip archive) are scanned recursively.
Alternatively, you can specify scanning of particular types of archive. For example, to scan inside TAR archives, type
savscan PATH -tar
or to scan inside TAR and Zip archives, type
savscan PATH -tar -zip
If you have numerous complex archives, the scan may take longer to run. Bear this in mind when scheduling unattended scans.
For a full list of the archive types scanned, use the -vv option.
40
Sophos Anti-Virus for Linux, version 6
9.3 Scanning remote computers
By default, Sophos Anti-Virus does not scan items on remote computers (i.e. does not traverse remote mount points). To enable scanning of remote computers, type
savscan PATH --no-stay-on-machine
9.4 Disabling scanning of symbolically linked items
By default, Sophos Anti-Virus scans symbolically linked items. To disable this type of scanning, type
savscan PATH --no-follow-symlinks
To avoid scanning items more than once, use the --backtrack-protection option.
9.5 Scanning the starting filesystem only
Sophos Anti-Virus can be configured not to scan items that are beyond the starting filesystem (i.e. not to traverse mount points). Type
savscan PATH --stay-on-filesystem
9.6 Command-line options
The command-line options listed in this section enable you to configure scanning and disinfection. There are
options that Sophos Anti-Virus for Linux has in common with Sophos
Anti-Virus for UNIX and other platforms (section 9.6.1)
options that Sophos Anti-Virus for Linux has in common with just Sophos
Anti-Virus for UNIX (section 9.6.2)
options specific to Sophos Anti-Virus for Linux (section 9.6.3).
9.6.1 Sophos Anti-Virus command-line options
To invert the meaning of a command-line option, prefix it with ‘n’. For example, -nsc is the inverse of -sc.
For a listing of these options on screen, type
savscan -h
41
User manual
-all Scan all files
If this option is used, Sophos Anti-Virus will scan all files in a filesystem, rather than just the executable files.
This takes longer than scanning only executables, and can compromise performance on servers. It can also cause false virus/spyware reports.
-archive Scan inside archives
If this option is used, Sophos Anti-Virus scans inside archives. The archive types scanned include ARJ, bzip2, CMZ, GZip, RAR, RPM, TAR, Zip.
Archives ‘nested’ within other archives (e.g. a TAR archive within a Zip archive) are scanned recursively.
Alternatively, you can specify scanning of particular types of archive. For example, to scan inside TAR archives, type
savscan PATH -tar
or to scan inside TAR and Zip archives, type
savscan PATH -tar -zip
If you have numerous complex archives, the scan may take longer to run. Bear this in mind when scheduling unattended scans.
For a full list of the archive types scanned, use the -vv option.
-b Sound bell on virus/spyware detection
This option directs Sophos Anti-Virus to sound a bell when viruses/spyware or fragments of viruses/spyware are discovered. It is enabled by default.
-c Ask for confirmation before disinfection or deletion
This option directs Sophos Anti-Virus to ask for confirmation before disinfecting or deleting files. It is enabled by default.
-di Disinfect
This option enables Sophos Anti-Virus to perform automatic disinfection of data files, programs and boot sectors. Refer to section 5.2.
42
-dn Display names of files as they are scanned
This option displays files being scanned. The display consists of the time followed by the item being checked.
Sophos Anti-Virus for Linux, version 6
-eec Use extended set of error codes
This option directs Sophos Anti-Virus to use an extended set of error codes. For details, refer to section 3.6.1.
-exclude Exclude items from scanning
This option enables you to specify that any items (files, directories or filesystems) that follow the option on the command line must be excluded from scanning.
After using the option -exclude, you can use the option -include to specify that items that follow this option on the command line must be scanned.
For example
savscan fred harry -exclude tom peter -include bill
scans items fred, harry and bill, but not tom or peter.
The option -exclude can be used for files or directories under another directory. For example
savscan /home/fred -exclude /home/fred/games
scans all of Fred's home directory, but excludes the directory games (and all directories and files under it).
-ext= File types defined as executables
By default, Sophos Anti-Virus scans DOS and Windows executable files with certain file extensions (run savscan with the -vv option to see a list of the file extensions used).
To specify additional file extensions that Sophos Anti-Virus will scan, use the
-ext= option with a comma-separated list of extensions.
To exempt file extensions from scanning, use -next.
If you want to scan files that UNIX defines as executables, refer to the
examine-x-bit option in section 9.6.2.
-f Full scan
By default, Sophos Anti-Virus checks only those parts of each file that are likely to contain viruses/spyware. A ‘full’ scan examines the complete contents of each file and can be specified using this option.
Full scanning is slower than default scanning.
43
User manual
-h Help
This option lists all the command-line options, including Linux-specific options.
-idedir= Use alternative directory for virus/spyware identity files (IDEs)
This option enables you to specify an alternative directory for IDEs. For example
savscan PATH -idedir=/ide
directs Sophos Anti-Virus to read IDEs from the /ide directory instead of the default directory (normally /opt/sophos-av/lib/sav).
-mime Scan MIME files
This option enables Sophos Anti-Virus to scan MIME files when it does a scan. By default, it is not enabled to scan MIME files.
-oe Scan Outlook Express mailboxes
This option directs Sophos Anti-Virus to scan Outlook Express mailboxes when it does a scan. By default, it is not enabled to scan Outlook Express mailboxes. You must also use the -mime option with this option.
-p=<file|device> Copy screen output to file or device
This option directs Sophos Anti-Virus to send whatever it sends to the screen to a particular file or device as well. For example
savscan PATH -p=log.txt
directs Sophos Anti-Virus to send screen output to the file log.txt.
-rec Do recursive scan
This option directs Sophos Anti-Virus to scan directories below the ones specified in the command line. It is enabled by default.
-remove Remove infected objects
This option directs Sophos Anti-Virus to remove infected items.
44
-s Silent running without displaying checked areas
If this option is used, Sophos Anti-Virus does not display on the screen the files it is scanning. It is enabled by default.
Sophos Anti-Virus for Linux, version 6
-sc Scan inside compressed files
If this option is used, Sophos Anti-Virus looks for viruses/spyware inside files compressed with PKLite, LZEXE and Diet. It is enabled by default.
--stop-scan Stop scanning “zip bombs”
If this option is used, Sophos Anti-Virus stops scanning “zip bombs” when they are detected.
“Zip bombs” are malicious files that are designed to disrupt the action of anti-virus scanners. These files usually take the form of innocent looking archive files that, when unpacked in order to be scanned, require enormous amounts of time, disk space, or memory.
For example
savscan -all /home/fred/misc --stop-scan
directs Sophos Anti-Virus to scan all objects (files and directories) under /home/fred/misc, and to stop scanning any “zip bombs” that are detected. When a “zip bomb” is detected, a message such as
Aborted checking /home/fred/misc/b.zip - appears to be a 'zip bomb'
is displayed.
-v Version number
If this option is used, Sophos Anti-Virus displays the version number and a list of the virus/spyware identities (IDEs) currently in use.
-vv Full version information
If this option is used, Sophos Anti-Virus displays the version number and lists of the virus/spyware identities (IDEs) currently in use, the file extensions that are scanned, and the archive types scanned.
9.6.2 UNIX-specific command-line options
The following options are UNIX-specific, and may be prefixed with ‘no-’ to invert their meaning.
For example, ‘--no-follow-symlinks’ is the inverse of ‘--follow-symlinks’.
45
User manual
--args-file=[filename] Read command-line arguments from file
Sophos Anti-Virus reads command-line arguments from a file. The arguments may include (lists of) directory names, filenames and options. For example
savscan --args-file=scanlist
directs Sophos Anti-Virus to read command-line arguments from the scanlist file. When Sophos Anti-Virus reaches the end of the file, it continues reading arguments from the command line.
If [filename] is ‘-’, Sophos Anti-Virus reads arguments from stdin. Some command-line options may not be used in the file: -eec, -neec, -p=, -s, -ns,
-dn and -ndn.
--backtrack-protection Prevent backtracking
Sophos Anti-Virus avoids scanning the same files more than once (‘backtracking’), a problem that can arise due to symbolic links. This option is enabled by default.
--examine-x-bit Scan all items that UNIX defines as executables
If this option is used, Sophos Anti-Virus scans all items that UNIX defines as executables, as well as items with the file extensions in Sophos Anti-Virus’s own executables list (for details of the file extensions listed, run savscan with the -vv option). This option is disabled by default.
--follow-symlinks Scan the object pointed to by symbolic links
Sophos Anti-Virus scans objects pointed to by symbolic links. This option is enabled by default.
--preserve-backtrack Preserve backtracking information
Sophos Anti-Virus preserves the backtracking information for the duration of the run. This option is enabled by default.
--quarantine Quarantine infected files
If this option is used, Sophos Anti-Virus puts infected files into quarantine. Sophos Anti-Virus does this by changing the ownership and permissions for the file.
46
If you have specified disinfection, Sophos Anti-Virus attempts to disinfect the file and quarantines the file only if disinfection fails.
Sophos Anti-Virus for Linux, version 6
By default, Sophos Anti-Virus changes
the user ownership of an infected file to the user running Sophos
Anti-Virus
the group ownership of the file to the group to which that user belongs
the file permissions to -r -------- (0400).
If you prefer, you can change the user or group ownership and file permissions that Sophos Anti-Virus applies to infected files. You do so by using these parameters:
uid=NNN user=USERNAME gid=NNN group=GROUP-NAME mode=PPP
You cannot specify more than one parameter of each type (e.g. you cannot enter username twice, or enter a uid and a username).
For each parameter you do not specify, the default setting (as given above) is used.
For example:
savscan fred -quarantine:user=virus,group=virus,mode=0400
will change an infected file’s user ownership to virus, the group ownership to virus, and the file permissions to -r--------. This means the file is owned by the user virus and group virus, but only the user virus can access the file (and only for reading). No one else can do anything to the file (apart from root).
You may need to be running as a special user or as superuser to set the ownership and permissions.
--reset-atime Reset the access time on files
After Sophos Anti-Virus scans a file, it resets the access time (the atime) to the time shown before scanning. However, if a file is disinfected, the access and modification times are updated. This option is enabled by default.
You may find that your archiver always backs up all the files that have been scanned. This could happen because resetting the atime has the effect of changing the inode status-changed time (ctime). In this case, run savscan with the --no-reset-atime option.
47
User manual
--show-file-details Show details of file ownership
If this option is used, Sophos Anti-Virus shows details of the file ownership and permissions when filenames are displayed or written to a log.
--skip-special Do not scan ‘special’ objects
Sophos Anti-Virus does not scan special objects, such as /dev, /proc, /devices etc. This option is enabled by default.
--stay-on-filesystem Do not leave the starting filesystem
If this option is used, Sophos Anti-Virus scans only the starting filesystem, i.e. it does not traverse mount points.
--stay-on-machine Do not leave the starting computer
Sophos Anti-Virus scans only the starting computer, i.e. it does not traverse remote mount points. This option is enabled by default.
9.6.3 Linux-specific command-line options
The following boot sector scanning options are only available with Sophos Anti-Virus for Linux.
-bs=xxx, xxx,... Scan boot sector of specific logical drive
Sophos Anti-Virus scans the boot sectors of specified logical drives, where xxx is the name of the drive (for example /dev/fd0 or /dev/hda1). The floppy drive is considered a logical device for the purposes of this option.
You can use this option to scan the boot sectors of floppy disks that were created for other operating systems (e.g. Windows and DOS).
-bs Scan all known boot sectors
Sophos Anti-Virus extracts partition table information from all the physical drives it knows about, then scans all logical drive boot sectors. This includes boot sectors that are not Linux (e.g. Windows and DOS).
-cdr= Scan CD boot image
To scan the boot image of a bootable CD, use the -cdr option. For example
48
savscan -cdr=/dev/cdrom
scans the boot image (if any) of the CD on device /dev/cdrom. If Sophos Anti-Virus finds a boot image, it scans the boot sector of that image for boot sector viruses.
Sophos Anti-Virus for Linux, version 6
To scan for program viruses all files in the boot image whose file type is in Sophos Anti-Virus’s own executables list, use the -loopback option. For example
savscan -cdr=/dev/cdrom -loopback
scans the boot image (if any) of the CD on device /dev/cdrom. If Sophos Anti-Virus finds a boot image, it scans the boot sector of that image for boot sector viruses and scans for program viruses all files in that image whose file type is in the executables list.
-mbr Scan master boot records
Sophos Anti-Virus attempts to scan the master boot records for all the physical drives on the system.
49
User manual

10 Configuring alerts

If you are configuring a single computer that is on a network, such configuration might be discarded if the computer downloads a new console­based or CID-based configuration.
You can configure Sophos Anti-Virus to send an alert when it finds viruses/spyware, there is a scanning error or some other type of error. Alerts can be sent in different languages, and via the following methods:
Desktop pop-ups (on-access scanning only)
Command-line (on-access scanning only)
Email (on-access and on-demand scanning)
10.1 Configuring desktop pop-up alerts
By default, desktop pop-up alerts are enabled. They are sent in the language of the computer that raises the alert.
The additional messages that are described below are not translated.
Command line
To enable desktop pop-up alerts, set the parameters UINotifier and UIpopupNotification to “enabled”. UINotifier provides overall control of desktop pop-up and command-line alerts; UIpopupNotification controls just desktop pop-up alerts. For example, type
/opt/sophos-av/bin/savconfig set UINotifier enabled /opt/sophos-av/bin/savconfig set UIpopupNotification enabled
You can specify what message is sent in addition to the alert itself. A default message is supplied in English. To change this, use the parameter UIContactMessage. For example, type
/opt/sophos-av/bin/savconfig set UIContactMessage 'Contact IT'
The same messages are used for desktop pop-up and command-line alerts.
50
To disable desktop pop-up alerts, type
/opt/sophos-av/bin/savconfig set UIpopupNotification disabled
To disable both desktop pop-up and command-line alerts, type
/opt/sophos-av/bin/savconfig set UINotifier disabled
Sophos Anti-Virus for Linux, version 6
GUI
To configure desktop pop-up alerts, go to the Alerts Configuration page, Desktop Pop-up and Command-line panel.
Configure desktop pop-up alerts as described below. When you have done this, click Set to apply the changes. To undo any changes that you have made since you last clicked Set, click Cancel.
To enable desktop pop-up alerts, select the Enable desktop pop-up alerts check box.
You can specify what message is sent in addition to the alert itself. A default message is supplied in English. To change this, type in the text box.
The same messages are used for desktop pop-up and command-line alerts.
To disable desktop pop-up alerts, clear the Enable desktop pop-up alerts check box.
10.2 Configuring command-line alerts
By default, command-line alerts are enabled. They are sent in the language of the computer that raises the alert.
The additional messages that are described below are not translated.
Command line
To enable command-line alerts, set the parameters UINotifier and UIttyNotification to “enabled”. UINotifier provides overall control of desktop
51
User manual
pop-up and command-line alerts; UIttyNotification controls just command­line alerts. For example, type
/opt/sophos-av/bin/savconfig set UINotifier enabled /opt/sophos-av/bin/savconfig set UIttyNotification enabled
You can specify what message is sent in addition to the alert itself. A default message is supplied in English. To change this, use the parameter UIContactMessage. For example, type
/opt/sophos-av/bin/savconfig set UIContactMessage 'Contact IT'
The same messages are used for desktop pop-up and command-line alerts.
To disable command-line alerts, type
/opt/sophos-av/bin/savconfig set UIttyNotification disabled
To disable both desktop pop-up and command-line alerts, type
/opt/sophos-av/bin/savconfig set UINotifier disabled
GUI
To configure command-line alerts, go to the Alerts Configuration page, Desktop Pop-up and Command-line panel.
52
Configure command-line alerts as described below. When you have done this, click Set to apply the changes. To undo any changes that you have made since you last clicked Set, click Cancel.
To enable command-line alerts, select the Enable command-line alerts check box.
You can specify what message is sent in addition to the alert itself. A default message is supplied in English. To change this, type in the text box.
The same messages are used for desktop pop-up and command-line alerts.
To disable command-line alerts, clear the Enable command-line alerts check box.
10.3 Configuring email alerts
By default, email alerts are
enabled
sent when viruses/spyware are detected, there is a scanning error, or an
event is logged in the Sophos Anti-Virus log
sent only when there is a fatal event
sent to root@localhost
and the hostname and port of the SMTP server are localhost:25.
Sophos Anti-Virus for Linux, version 6
10.3.1 General settings
Command line
To enable email alerts, set the parameter EmailNotifier to “enabled”:
/opt/sophos-av/bin/savconfig set EmailNotifier enabled
To set the hostname or IP address of the SMTP server, use the parameter EmailServer. For example, type
/opt/sophos-av/bin/savconfig set EmailServer 171.17.31.184
To specify the language that is used for the email alerts, use the parameter EmailLanguage. Currently, valid values are just “en”, “English”, or “Japanese”. For example, type
/opt/sophos-av/bin/savconfig set EmailLanguage Japanese
This language selection applies only to the alert itself, not the additional messages that are described below.
To disable email alerts, type
/opt/sophos-av/bin/savconfig set EmailNotifier disabled
53
User manual
GUI
To configure email alerts via the GUI, go to the Alerts Configuration page, Email panel.
To enable email alerts, select the Enable email alerts check box.
To set the hostname or IP address of the SMTP server, type the address in the text box labeled Hostname or IP address of the SMTP server.
To specify the language that is used for the email alerts, select the language in the drop-down list box labeled Language to use in notification emails.
This language selection applies only to the alert itself, not the additional messages that are described below.
To disable email alerts, clear the Enable email alerts check box.
When you have finished configuring email alerts, click Set to apply the changes. To undo any changes that you have made since you last clicked
Set, click Cancel.
10.3.2 Email recipients
Command line
To specify who receives email alerts, use the parameter Email. You can specify more than one recipient. For example, type
/opt/sophos-av/bin/savconfig add Email admin@localhost
54
Sophos Anti-Virus for Linux, version 6
GUI
To specify who receives email alerts, add or delete recipients from the list of Email recipients.
To add a new email recipient to the list, type the text in the address box and click Add New Entry.
To delete an email recipient from the list, select it and click Remove
Selected Entry.
10.3.3 What happens when viruses/spyware are detected
Command line
To enable email alerts to be sent when viruses/spyware are detected, set the parameter SendThreatEmail to “enabled”:
/opt/sophos-av/bin/savconfig set SendThreatEmail enabled
You can specify what message is sent in addition to the alert itself when viruses/spyware are detected. A default message is supplied in English. To change this, use the parameter ThreatMessage. For example, type
/opt/sophos-av/bin/savconfig set ThreatMessage 'Contact IT'
GUI
To enable email alerts to be sent when viruses/spyware are detected, select the check box labeled Send email when virus detected.
You can specify what message is sent in addition to the alert itself when viruses/spyware are detected. A default message is supplied in English. To change this, type in the text box.
55
User manual
When you have finished configuring email alerts, click Set to apply the changes. To undo any changes that you have made since you last clicked
Set, click Cancel.
10.3.4 What happens when there is a scanning error
Command line
To enable email alerts to be sent when there is a scanning error, set the parameter SendErrorEmail to “enabled”:
/opt/sophos-av/bin/savconfig set SendErrorEmail enabled
You can specify what message is sent in addition to the alert itself when there is a scanning error. A default message is supplied in English. To change this, use the parameter ScanErrorMessage. For example, type
/opt/sophos-av/bin/savconfig set ScanErrorMessage 'Contact IT'
GUI
To enable email alerts to be sent when there is a scanning error, select the check box labeled Send email when there is a scan error.
You can specify what message is sent in addition to the alert itself when there is a scanning error. A default message is supplied in English. To change this, type in the text box.
When you have finished configuring email alerts, click Set to apply the changes. To undo any changes that you have made since you last clicked
Set, click Cancel.
10.3.5 What happens when an event is logged
Command line
You can specify what message is sent in addition to the alert itself when an event is logged in the Sophos Anti-Virus log. A default message is supplied
56
Sophos Anti-Virus for Linux, version 6
in English. To change this, use the parameter LogMessage. For example, type
/opt/sophos-av/bin/savconfig set LogMessage 'Contact IT'
GUI
You can specify what message is emailed when an event is logged in the Sophos Anti-Virus log. A default message is supplied in English. To change this, type in the text box.
When you have finished configuring email alerts, click Set to apply the changes. To undo any changes that you have made since you last clicked Set, click Cancel.
57
User manual

11 Configuring the Sophos Anti-Virus log

If you are configuring a single computer that is on a network, such configuration might be discarded if the computer downloads a new console­based or CID-based configuration.
By default, scanning activity is logged in the Sophos Anti-Virus log. When it reaches 1 MB in size, it is backed up automatically and a new log is started. To see the default number of logs that are kept, type
/opt/sophos-av/bin/savconfig -s query LogMaxSizeMB
To specify the maximum number of logs that are kept, use the parameter LogMaxSizeMB. For example, type
/opt/sophos-av/bin/savconfig set LogMaxSizeMB 50
The path of the log is /opt/sophos-av/log/savd.log.
58
Sophos Anti-Virus for Linux, version 6

12 Configuring the Sophos Anti-Virus GUI

If you are configuring a single computer that is on a network, such configuration might be discarded if the computer downloads a new console­based or CID-based configuration.
You can configure the Sophos Anti-Virus GUI using either
the utility savsetup, or
the command savconfig.
savsetup
1. At the computer, run the utility savsetup, which is in the bin subdirectory of
the installation:
/opt/sophos-av/bin/savsetup
2. The utility asks you to select what you want to do. Select Sophos Anti-Virus
GUI configuration.
3. The utility asks you a series of questions about the GUI. Type your responses
to configure the GUI.
savconfig
To set the http port on which the GUI runs, use the parameter HttpPort. (The GUI is not accessible via an external port.) To see the default port, type
/opt/sophos-av/bin/savconfig -s query HttpPort
To change the port, type for example
/opt/sophos-av/bin/savconfig set HttpPort 1880
To set the username for using the GUI, use the parameter HttpUsername. For example, type
/opt/sophos-av/bin/savconfig set HttpUsername sysadmin
To set the password for using the GUI, use the parameter HttpPassword. For example, type
/opt/sophos-av/bin/savconfig set HttpPassword 0jf09jf
These settings don’t take effect until the GUI daemon is restarted. To do this manually, close the GUI and, at the command line, type
/etc/init.d/sav-web restart
59
User manual
60

Updating Sophos Anti-Virus

Updating Sophos Anti-Virus immediately
Kernel support
Configuring updating
User manual

13 Updating Sophos Anti-Virus immediately

Provided that you have enabled auto-updating, Sophos Anti-Virus is kept updated automatically.
To update a computer between regular updates, run the update script:
/opt/sophos-av/bin/savupdate
62

14 Kernel support

14.1 Support for new kernel releases
When one of the Linux vendors supported by Sophos Anti-Virus releases an update to its Linux kernel, Sophos releases an update to the Sophos kernel interface module to support this. If you apply a Linux kernel update before you apply the matching Sophos kernel interface module update, on-access scanning is disabled and an error is reported.
To avoid this problem, you must confirm that the matching Sophos kernel interface module update has been released before applying the Linux kernel update. A list of supported Linux distributions and updates is available in Sophos support knowledgebase article 14377 (www.sophos.com/support/knowledgebase/article/14377.html). When the required Sophos kernel interface module update is listed, it is available for download. Provided that you have enabled auto-updating, Sophos Anti-Virus downloads the update automatically. Alternatively, to update a computer between regular updates, run the update script:
Sophos Anti-Virus for Linux, version 6
/opt/sophos-av/bin/savupdate
You can then apply the Linux kernel update.
14.2 Support for customized kernels
If you customize your Linux kernels, this manual doesn’t explain how to configure updating to support this. Refer to Sophos support knowledgebase article 13503 (www.sophos.com/support/knowledgebase/article/13503.html).
63
User manual

15 Configuring updating

If you manage Sophos Anti-Virus for Linux using Enterprise Console, you must configure updating using the console. For information on how to do this, refer to the console help instead of this section.
15.1 Basic concepts
Update server
An update server is a computer on which you have installed Sophos Anti-Virus for Linux and which also acts as an update source for other computers. These other computers are either update servers or update endpoints, depending on how you deploy Sophos Anti-Virus across the network.
Update endpoint
An update endpoint is a computer on which you have installed Sophos Anti-Virus for Linux and which doesn’t need to act as an update source for other computers.
Primary update source
The primary update source is the location of the updates that a computer usually accesses. It might need access credentials.
Secondary update source
The secondary update source is the location of the updates that a computer accesses when the primary update source is unavailable. It might need access credentials.
15.2 Checking the auto-updating configuration for a computer
1. At the computer that you want to check, run the utility savsetup:
/opt/sophos-av/bin/savsetup
2. The utility asks you to select what you want to do. Select Auto-updating
configuration.
3. The utility asks you to select what you want to do. Select Display update
configuration to see the current configuration.
64
Sophos Anti-Virus for Linux, version 6
15.3 Configuring the update server to update from Sophos directly
1. At the update server, run the utility savsetup:
/opt/sophos-av/bin/savsetup
2. The utility asks you to select what you want to do. Select Auto-updating
configuration.
3. The utility asks you to select what you want to do. Select the option to
configure the primary update source to be Sophos. When prompted, enter the username and password that are included with your licence.
4. The utility asks you if you need a proxy to access Sophos. If you do, type “Y”
and then type the proxy details.
15.4 Configuring multiple update endpoints to update from the
update server
If you want to change the configuration for a single update endpoint, refer to
section 15.6 instead.
At the update server, you update the offline configuration file in the CID, and then apply the changes to the live configuration file, ready for the update endpoints to download the next time that they update. In the procedure below, CONFIG-FILE represents the path of the offline configuration file.
1. Set the primary update source address to the location of the CID, using the
parameter PrimaryUpdateSourcePath. You can specify either an HTTP address or a UNC path, depending on how you have set up the update server. For example, type
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
PrimaryUpdateSourcePath 'http://www.mywebcid.com/cid'
2. If the primary update source requires authentication, set the username and
password using the parameters PrimaryUpdateUsername and PrimaryUpdatePassword, respectively. For example, type
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
PrimaryUpdateUsername 'fred'
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
PrimaryUpdatePassword 'j23rjjfwj'
65
User manual
3. If you access the primary update source via a proxy, set the address,
username, and password of the proxy server, using the parameters PrimaryUpdateProxyAddress, PrimaryUpdateProxyUsername, and PrimaryUpdateProxyPassword, respectively. For example, type
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
PrimaryUpdateProxyAddress 'http://www-cache.xyz.com:8080'
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
PrimaryUpdateProxyUsername 'penelope'
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
PrimaryUpdateProxyPassword 'fj202jrjf'
4. Use the utility addcfg to apply the changes to the live configuration file,
ready for the update endpoints to download the next time that they update.
/opt/sophos-av/update/cache/Primary/addcfg.sh -f CONFIG-FILE
15.5 Configuring multiple update endpoints to update from Sophos
directly when the update server is unavailable
If you want to change the configuration for a single update endpoint, refer to
section 15.7 instead.
At the update server, you update the offline configuration file in the CID, and then apply the changes to the live configuration file, ready for the update endpoints to download the next time that they update. In the procedure below, CONFIG-FILE represents the path of the offline configuration file.
1. Set the secondary update source address to “sophos:”, using the parameter
SecondaryUpdateSourcePath. For example, type
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
SecondaryUpdateSourcePath 'sophos:'
2. Set the secondary update source username to the username that is included
with your licence, using the parameter SecondaryUpdateUsername. For example, type
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
SecondaryUpdateUsername 'cust123'
3. Set the secondary update source password to the password that is included
with your licence, using the parameter SecondaryUpdatePassword. For example, type
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
SecondaryUpdatePassword 'j23rjjfwj'
66
Sophos Anti-Virus for Linux, version 6
4. If you access the internet via a proxy, set the address, username, and
password of the proxy server, using the parameters SecondaryUpdateProxyAddress, SecondaryUpdateProxyUsername, and SecondaryUpdateProxyPassword, respectively. For example, type
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
SecondaryUpdateProxyAddress 'http://www-cache.xyz.com:8080'
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
SecondaryUpdateProxyUsername 'fred'
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set
SecondaryUpdateProxyPassword 'fj202jrjf'
5. Use the utility addcfg to apply the changes to the live configuration file,
ready for the update endpoints to download the next time that they update.
/opt/sophos-av/update/cache/Primary/addcfg.sh -f CONFIG-FILE
15.6 Configuring a single update endpoint to update from the update
server
If you want to change the configuration for multiple update endpoints, refer to section 15.4 instead.
This section assumes that the update server will be the primary update source for this computer. However, if it will be the secondary update source, use the secondary options or parameters where indicated below.
1. At the computer that you want to configure, run the utility savsetup:
/opt/sophos-av/bin/savsetup
2. The utility asks you to select what you want to do. Select Auto-updating
configuration.
3. The utility asks you to select what you want to do. Select the option to
configure the primary (or secondary) update source to be your own server. When prompted, enter the address of the source, and the username and password if required. You can specify either an HTTP address or a UNC path, depending on how you have set up the update server.
4. The utility asks you if you need a proxy to access the update server. If you
do, type “Y” and then type the proxy details.
67
User manual
15.7 Configuring a single update endpoint to update from Sophos
directly
If you want to change the configuration for multiple update endpoints, refer to section 15.5 instead.
This section assumes that Sophos will be the primary update source for this computer. However, if it will be the secondary update source, use the secondary options or parameters where indicated below.
1. At the computer that you want to configure, run the utility savsetup:
/opt/sophos-av/bin/savsetup
2. The utility asks you to select what you want to do. Select Auto-updating
configuration.
3. The utility asks you to select what you want to do. Select the option to
configure the primary (or secondary) update source to be Sophos. When prompted, enter the username and password that are included with your licence.
4. The utility asks you if you need a proxy to access Sophos. If you do, type “Y”
and then type the proxy details.
68

Troubleshooting

User manual

16 Troubleshooting

This section provides answers to some common problems that you may encounter when using Sophos Anti-Virus. (For more information about Sophos Anti-Virus error codes for on-demand scans, refer to section 3.6.)
16.1 Unable to run a command
If you are unable to run a command, it might be because you don’t have sufficient privileges. Try logging in with root privileges.
16.2 Exclusion configuration hasn’t been applied
Occasionally, when you configure Sophos Anti-Virus to include items for scanning that were previously excluded, the items remain excluded. Try flushing the cache of files that have previously been scanned:
echo 'disable' > /proc/sys/talpa/intercept-filters/Cache/status echo 'enable' > /proc/sys/talpa/intercept-filters/Cache/status
16.3 man page not found
If the system returns this message when you try to view a Sophos Anti-Virus man page, you probably need to change your system settings. Ensure that the environment variable MANPATH in your login script or profile includes /usr/local/man. If it does not include this path, add it to the environment variable as shown in the examples below. Do not alter any of the existing settings.
If you are running the sh, ksh or bash shell, enter
MANPATH=$MANPATH:/usr/local/man export MANPATH
If you are running the csh or tsh shell, enter
setenv MANPATH [values]:/usr/local/man
where [values] are the existing settings.
70
You should make these variables system-wide. To do this, amend /etc/login or /etc/profile.
If you do not have a login script, you will need to reset these values every time you restart the computer.
16.4 Sophos Anti-Virus runs out of disk space
This problem may arise when scanning complex archive files.
When it unpacks archive files, Sophos Anti-Virus uses the /tmp directory to store its working results. If this directory is not very large, Sophos Anti-Virus may run out of disk space. Specific users may encounter the same problem if Sophos Anti-Virus exceeds their quota.
The solution is to enlarge /tmp or increase the users’ quota. Alternatively, change the directory Sophos Anti-Virus uses for working results. You can do this by setting the environment variable SAV_TMP.
16.5 On-demand scanning runs slowly
Full scan
Sophos Anti-Virus for Linux, version 6
By default, Sophos Anti-Virus performs a quick scan, which scans only the parts of files likely to contain viruses. However, if scanning is set to full, it scans everything, and takes significantly longer to carry out a scan.
See the -f option in section 9.6.1.
Full scanning is needed in order to detect some viruses, but should only be enabled on a case-by-case basis (e.g. on advice from Sophos technical support).
Scanning all files
By default, Sophos Anti-Virus checks only files defined as executables. If it is configured to check all files the process takes longer. If you would like to scan other specific extensions, as well as executable files, add those extensions to the list of extensions Sophos Anti-Virus defines as executables.
See the -all and -ext= options in section 9.6.1.
16.6 Archiver backs up all files that have been scanned on demand
Your archiver may always back up all the files that Sophos Anti-Virus has scanned on demand. This can happen due to changes that Sophos Anti-Virus makes in the ‘status-changed’ time of files.
By default, Sophos Anti-Virus attempts to reset the access time (atime) of files to the time shown before scanning. However, this has the effect of changing the inode status-changed time (ctime). If your archiver uses the ctime to decide whether a file has changed, it backs up all files scanned by Sophos Anti-Virus.
71
User manual
To prevent such backups, run the savscan command with the
--no-reset-atime option.
16.7 Virus/spyware not cleaned up
If Sophos Anti-Virus has not attempted to clean up a virus or item of spyware, check that automatic cleanup has been enabled.
If Sophos Anti-Virus could not disinfect the virus (‘Disinfection failed’), it may be that it cannot disinfect that type of virus.
You should also check the following:
If dealing with a removable medium (e.g. floppy disk, CD), make sure
that it is not write-protected.
If the files are on an NTFS filesystem, deal with them on the local
computer instead.
Sophos Anti-Virus does not clean up a virus/spyware fragment because it has not found an exact virus/spyware match. Refer to section 16.8.
16.8 Virus/spyware fragment reported
If a virus/spyware fragment is reported, update Sophos Anti-Virus on the affected computer, so that it has the latest virus identity files. Then run a scan of the computer. If virus/spyware fragments are still reported, contact Sophos technical support for advice.
The report of a virus/spyware fragment indicates that part of a file matches part of a virus or item of spyware. There are three possible causes:
Variant of a known virus or item of spyware
Many new viruses or items of spyware are based on existing ones, so that code fragments typical of a known virus or item of spyware may appear as part of a new one. If a virus/spyware fragment is reported, it is possible that Sophos Anti-Virus has detected a new virus or item of spyware, which could become active.
72
Corrupted virus
Many viruses contain bugs in their replication routines that cause them to infect target files incorrectly. An inactive portion of the virus (possibly a substantial part) may appear within the host file, and this is detected by Sophos Anti-Virus. A corrupted virus cannot spread.
Sophos Anti-Virus for Linux, version 6
Database containing a virus or item of spyware
When running a full scan, Sophos Anti-Virus may report that there is a virus/spyware fragment in a database file.
16.9 “Connection refused” error when accessing the GUI
When you try to access the Sophos Anti-Virus GUI, if an error message is displayed that tells you that the connection was refused, it might be because the Sophos Anti-Virus GUI daemon is not running. To start it, type
/etc/init.d/sav-web start
16.10 Unable to access disk with infected boot sector
By default, Sophos Anti-Virus prevents access to removable disks whose boot sectors are infected. To allow access (e.g. to copy files from a floppy disk infected with a boot sector virus), type
/opt/sophos-av/bin/savconfig set AllowIfBootSectorThreat enabled
When you have finished accessing the disk, disable the parameter. Remove the disk from the computer so that it can’t try to re-infect the computer on restart.
73
User manual
74

Glossary and index

User manual

Glossary

Boot sector: The first part of the operating system to be read into
memory when a computer is switched on (booted). The program stored in the boot sector is then executed, which loads the rest of the operating system from the system files on disk.
Boot sector virus: A type of virus that subverts the initial stages of the
booting process. A boot sector virus attacks either the master boot sector or the DOS boot sector.
Central installation directory: Refer to CID.
CID-based configuration file: Located in the CID. Stores Sophos Anti-Virus
configuration that is to be applied across a network. Usually, changes are made to an offline file that is located elsewhere, and then these changes are applied to the live file in the CID using a utility.
CID: Central installation directory; a central location on a
network from which Sophos Anti-Virus is installed and updated. You must install a different CID for each platform, and make sure every CID is kept up to date.
CID-based configuration: Central installation directory (CID)-based
configuration, formerly known as corporate configuration, involves making changes to a configuration file that is stored in the CID, by setting the values of parameters using the command savconfig. Then, when endpoints update from the CID, they use this configuration.
Cleanup: Cleanup is a general term that includes disinfection
and deletion.
Console-based configuration: You can manage version 6 of Sophos Anti-Virus on
endpoints using Sophos Enterprise Console. This runs only on Windows. It enables you to perform most configuration using a user-friendly GUI.
76
Sophos Anti-Virus for Linux, version 6
Daemon: A process that runs in the background (i.e.
independently of any user) with no input from or output to a terminal.
Disinfection: Disinfection removes a virus from a file or boot
sector. However, it doesn’t undo any actions the virus has already taken.
Executables: By default, when Sophos Anti-Virus performs an on-
demand scan, it scans only files it defines as executables (even when full scanning is enabled). It is possible to: configure Sophos Anti-Virus to scan all files that Linux defines as executables; configure Sophos Anti-Virus to scan all files; and to change the list of files defined as executables. Refer to sections
9.6.1 and 9.6.2.
Full scan: If configured to perform full on-demand scanning,
Sophos Anti-Virus scans all files and all parts of files in the area it has been configured to scan. A full scan takes significantly longer than a quick scan. It is occasionally necessary in order to locate certain viruses. Refer to section 9.6.1.
Local configuration file: Located on an endpoint. Stores Sophos Anti-Virus
configuration that applies to that endpoint.
Macro virus: A type of virus that uses macros in a Windows or
Mac data file to become active in memory and attach itself to other data files. Unlike other types of virus, macro viruses can attain a degree of platform independence.
Master boot sector: The first physical sector on the hard disk (sector 1,
head 0, track 0) which is loaded and executed when the computer is switched on (booted). It contains the partition table as well as the code to load and execute the boot sector of the ‘active’ partition.
Mount point: The point on a filesystem at which there is a
transparent link to an item or items on another filesystem on the same computer. Refer also to Symbolic link.
77
User manual
On-access scanning: Intercepts files as they are accessed, and grants
access to only those that do not pose a threat to your network.
On-demand scan: A virus/spyware scan of the computer, or parts of the
computer, that you can run immediately or schedule to run at another time.
Quick scan: The default on-demand scan type. Sophos Anti-Virus
scans only the parts of files that can potentially contain executable code.
Remote mount point: The point on a filesystem at which there is a
transparent link to an item or items on another filesystem on a remote computer. Refer also to Symbolic link.
Sophos Anti-Virus daemon: Controls on-access scanning, and performs logging
and alerting for on-access and on-demand scanning.
Spyware: A program that installs itself onto a user’s computer
by stealth, subterfuge, or social engineering and sends information from that computer to a third party without the user’s permission or knowledge. Spyware includes key loggers, backdoor Trojans, password stealers, and botnet worms, which cause corporate data theft, financial loss and network damage.
Symbolic link: A link to a file or directory on another filesystem or
another computer.
Syslog: A facility that logs system messages (e.g. messages
from a daemon).
Trojan horse: A computer program which carries out hidden and
harmful functions. Generally Trojan horses trick the user into running them by claiming to have legitimate functionality. Backdoor Trojans enable other users to take control of your computer over the internet.
Virus: A computer program that can spread across
computers and networks by attaching itself to a
78
Sophos Anti-Virus for Linux, version 6
program (such as a macro or boot sector) and making copies of itself.
Worm: A type of virus that doesn’t need a carrier program in
order to replicate. Worms replicate themselves and then use communications between computers (e.g. email programs) to spread.
79
User manual

Index

A
accessing disks 73 alert
command-line 18, 51 desktop pop-up 17, 50 email 53
archive
on-access scanning 37 on-demand scanning 40, 42
B
backtracking
preserving information 46
preventing 46 backups of scanned files 71 boot sector
infected 73
on-demand scanning 15
C
CD boot image 48 CID-based configuration 26 cleanup
getting information 19
on-access scanning 38
on-demand scanning 20, 42, 44 command line
overview 8
reading arguments from file 46 compressed file 45 computer, scanning 14 configuring across a network 26 configuring on a single computer 29 console-based configuration 26
D
directory or file, scanning 14 disinfection. See cleanup disk space insufficient 71
E
Enterprise Console 26 error codes 15, 43 excluding items, on-access scanning
file or directory 32
character encoding 36
filesystem
from file scanning 37
excluding items, on-demand scanning
file, directory or filesystem 43
executables
UNIX 46 Windows/DOS 43
F
file types, all 40 filesystem, scanning 14 full scan 43
G
GUI
configuring 59 connection problem 73 overview 8
I
infected boot sector 73
K
kernel
customized 63 new release 63
L
layer, in configuration 28 log, Sophos Anti-Virus
configuring 58 viewing 22
M
mailbox 44 man page not found 70 MIME file 44
Q
quarantine 19, 46
R
recursive scanning 44 remote computers, scanning 41
S
savconfig, overview 29 savsetup, overview 31 scheduling scanning 15 screen output, copy to file/device 44 slow on-demand scan 71 special objects 48
80
spyware
analysis 19
fragment reported 72
not cleaned up 72 spyware data
specifying location 44 spyware found
on-access scanning 17
on-demand scanning 18 starting filesystem only, scanning 41 starting on-access scanning 12
automatically on system boot 11 status of on-access scanning 11 stopping on-access scanning 13 symbolically linked items 41, 46
U
updating
configuring 64
immediate 62
kernel, customized 63
kernel, new release 63
Sophos Anti-Virus for Linux, version 6
V
virus
analysis 19
fragment reported 72
not cleaned up 72
side-effects 21 virus data
specifying location 44 virus found
on-access scanning 17
on-demand scanning 18
Z
zip bomb 45
81
User manual

Technical support

For technical support, visit www.sophos.com/support.
If you contact technical support, provide as much information as possible, including the following:
Sophos software version number(s)
Operating system(s) and patch level(s)
The exact text of any error messages
82

Copyright

Copyright 2005–2008 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid
licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Virus are registered trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.
Some software programs are licensed (or sublicensed) to the user under the GNU General Public License (GPL) or similar Free Software licenses which, among other rights, permit the user to copy, modify, and redistribute certain programs, or portions thereof, and have access to the source code. The GPL requires for any software licensed under the GPL, which is distributed to a user in an executable binary format, that the source code also be made available to those users. For any such software which is distributed along with this Sophos product, the source code is available via mail order by submitting a request to Sophos:
Sophos Anti-Virus for Linux, version 6
Email: savlinuxgpl@sophos.com
Mail: Sophos Plc, The Pentagon, Abingdon Science Park, Abingdon, OX14 3YP, United
Kingdom.
A copy of the GPL terms can be found at www.gnu.org/copyleft/gpl.html
libmagic - file type detection
Copyright (c) Ian F. Darwin 1986, 1987, 1989, 1990, 1991, 1992, 1994, 1995.
Software written by Ian F. Darwin and others; maintained 1994-2004 Christos Zoulas.
This software is not subject to any export provision of the United States Department of Commerce, and may be exported to any country or planet.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice immediately at the beginning of the file, without modification, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
83
User manual
WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Python
PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2
1. This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation.
2. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee.
3. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to makethe derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python.
4. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS.
5. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF.
6. This License Agreement will automatically terminate upon a material breach of its terms and conditions.
7. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSF trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party.
8. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement.
Medusa web server
Medusa was once distributed under a 'free for non-commercial use' license, but in May of 2000 Sam Rushing changed the license to be identical to the standard Python license at the time. The standard Python license has always applied to the core components of Medusa, this change just frees up the rest of the system, including the http server, ftp server, utilities, etc. Medusa is therefore under the following license:
84
Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in
Sophos Anti-Virus for Linux, version 6
all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Sam Rushing not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.
SAM RUSHING DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL SAM RUSHING BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Sam would like to take this opportunity to thank all of the folks who supported Medusa over the years by purchasing commercial licenses.
pycrypto
Distribute and use freely; there are no restrictions on further dissemination and usage except those imposed by the laws of your country of residence. This software is provided "as is" without warranty of fitness for use or suitability for any purpose, express or implied. Use at your own risk or not at all.
Incorporating the code into commercial products is permitted; you do not have to make source available or contribute your changes back (though that would be nice).
--amk (www.amk.ca)
OpenSSL cryptographic toolkit
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org.
OpenSSL LICENSE
Copyright (c) 1998–2005 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”
85
User manual
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
ORIGINAL SSLeay LICENSE
Copyright (c) 1995–1998 Eric Young (eay@cryptsoft.com) All rights reserved.
This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA, lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson (tjh@cryptsoft.com).
Copyright remains Eric Young’s, and as such any Copyright notices in the code are not to be removed. If this package is used in a product, Eric Young should be given attribution as the author of the parts of the library used. This can be in the form of a textual message at program startup or in documentation (online or textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the following disclaimer.
86
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Sophos Anti-Virus for Linux, version 6
3. All advertising materials mentioning features or use of this software must display the following acknowledgement:
“This product includes cryptographic software written by Eric Young (eay@cryptsoft.com)”
The word “cryptographic” can be left out if the rouines from the library being used are not cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement:
“This product includes software written by Tim Hudson (tjh@cryptsoft.com)”
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The licence and distribution terms for any publically available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence [including the GNU Public Licence.]
TinyXml Xml parser
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Zlib compression tools
(C) 1995-2002 Jean-loup Gailly and Mark Adler
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software.
Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
87
User manual
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly Mark Adler jloup@gzip.org madler@alumni.caltech.edu
If you use the zlib library in a product, we would appreciate *not* receiving lengthy legal documents to sign. The sources are provided for free but without warranty of any kind. The library has been entirely written by Jean-loup Gailly and Mark Adler; it does not include third­party code.
If you redistribute modified sources, we would appreciate that you include in the file ChangeLog history information documenting your changes.
Copyright and licensing information for ACE™, TAO™, CIAO™, and CoSMIC™
ACE1, TAO2, CIAO3, and CoSMIC4 (henceforth referred to as “DOC software”) are copyrighted by Douglas C. Schmidt5 and his research group6 at Washington University7, University of California8, Irvine, and Vanderbilt University9, Copyright ©1993–2005, all rights reserved.
Since DOC software is open-source10, free software, you are free to use, modify, copy, and distribute–perpetually and irrevocably–the DOC software source code and object code produced from the source, as well as copy and distribute modified versions of this software. You must, however, include this copyright statement along with code built using DOC software.
You can use DOC software in commercial and/or binary software releases and are under no obligation to redistribute any of your source code that is built using DOC software. Note, however, that you may not do anything to the DOC software code, such as copyrighting it yourself or claiming authorship of the DOC software code, that will prevent DOC software from being distributed freely using an open-source development model. You needn’t inform anyone that you’re using DOC software in your software, though we encourage you to let us11 know so we can promote your project in the DOC software success stories12.
DOC software is provided as is with no warranties of any kind, including the warranties of design, merchantability, and fitness for a particular purpose, noninfringement, or arising from a course of dealing, usage or trade practice. Moreover, DOC software is provided with no support and without any obligation on the part of Washington University, UC Irvine, Vanderbilt University, their employees, or students to assist in its use, correction, modification, or enhancement. A number of companies13 around the world provide commercial support for DOC software, however. DOC software is Y2K-compliant, as long as the underlying OS platform is Y2K-compliant.
Washington University, UC Irvine, Vanderbilt University, their employees, and students shall have no liability with respect to the infringement of copyrights, trade secrets or any patents by DOC software or any part thereof. Moreover, in no event will Washington University, UC Irvine, or Vanderbilt University, their employees, or students be liable for any lost revenue or profits or other special, indirect and consequential damages.
88
The ACE14, TAO15, CIAO16, and CoSMIC17 web sites are maintained by the DOC Group18 at the Institute for Software Integrated Systems (ISIS)19 and the Center for Distributed Object Computing of Washington University, St. Louis20 for the development of open-source software as part of the open-source software community21. By submitting comments, suggestions, code, code snippets, techniques (including that of usage), and algorithms, submitters acknowledge that they have the
Sophos Anti-Virus for Linux, version 6
right to do so, that any such submissions are given freely and unreservedly, and that they waive any claims to copyright or ownership. In addition, submitters acknowledgethat any such submission might become part of the copyright maintained on the overall body of code, which comprises the DOC software. By making a submission, submitter agree to these terms. Furthermore, submitters acknowledge that the incorporation or modification of such submissions is entirely at the discretion of the moderators of the open-source DOC software projects or their designees.
The names ACE, TAO, CIAO, CoSMIC, WashingtonUniversity, UC Irvine, and Vanderbilt University, may not be used to endorse or promote products or services derived from this source without express written permission from Washington University, UC Irvine, or Vanderbilt University. Further, products or services derived from this source may not be called ACE, TAO, CIAO, or CoSMIC nor may the name Washington University, UC Irvine, or Vanderbilt University appear in their names, without express written permission from Washington University, UC Irvine, and Vanderbilt University.
If you have any suggestions, additions, comments, or questions, please let me22 know.
Douglas C. Schmidt
23
The ACE home page is http://www.cs.wustl.edu/ACE.html
References
1. http://www.cs.wustl.edu/~schmidt/ACE.html
2. http://www.cs.wustl.edu/~schmidt/TAO.html
3. http://www.dre.vanderbilt.edu/CIAO/
4. http://www.dre.vanderbilt.edu/cosmic/
5. http://www.dre.vanderbilt.edu/~schmidt/
6. http://www.cs.wustl.edu/~schmidt/ACE-members.html
7. http://www.wustl.edu/
8. http://www.uci.edu/
9. http://www.vanderbilt.edu/
10. http://www.the-it-resource.com/Open-Source/Licenses.html
11. mailto:doc_group@cs.wustl.edu
12. http://www.cs.wustl.edu/~schmidt/ACE-users.html
13. http://www.cs.wustl.edu/~schmidt/commercial-support.html
14. http://www.cs.wustl.edu/~schmidt/ACE.html
15. http://www.cs.wustl.edu/~schmidt/TAO.html
16. http://www.dre.vanderbilt.edu/CIAO/
17. http://www.dre.vanderbilt.edu/cosmic/
18. http://www.dre.vanderbilt.edu/
19. http://www.isis.vanderbilt.edu/
20. http://www.cs.wustl.edu/~schmidt/doc-center.html
21. http://www.opensource.org/
22. mailto:d.schmidt@vanderbilt.edu
23. http://www.dre.vanderbilt.edu/~schmidt/
89
Loading...