Sophos Anti-Virus for linux v6 User Manual [nl]

Sophos Anti-Virus for Linux, version 6
user manual
Document date: August 2008
User manual
About this manual
virus/spyware scanning
virus/spyware alerts
cleanup
logging
updating.
The manual also provides help in resolving common problems.
If you want to install, upgrade, or uninstall Sophos Anti-Virus on networked and single Linux computers, refer to the Sophos Anti-Virus for Linux, version 6 startup guide.
If you want to install Sophos Anti-Virus on a mixed Linux and Windows network, or you want to centrally manage Sophos Anti-Virus using Sophos Enterprise Console, refer to the Sophos Endpoint Security and Control network startup guide.
If you want to upgrade Sophos Anti-Virus version 5 and you are using EM Library, refer to the Sophos Endpoint Security and Control network upgrade guide.
Sophos documentation is published at www.sophos.com/support/docs/ and on the Sophos CDs.
2

Contents

Conventions used in this manual 5
Using Sophos Anti-Virus
1 About Sophos Anti-Virus for Linux 8
2 Running on-access scanning 11
3 Running on-demand scans 14
4 What happens if viruses/spyware are found? 17
5 Cleaning up viruses/spyware 19
Sophos Anti-Virus for Linux, version 6
6 Viewing the logs 22
Configuring Sophos Anti-Virus
7 Overview of configuration 26
8 Configuring on-access scanning 32
9 Configuring on-demand scanning 40
10 Configuring alerts 50
11 Configuring the Sophos Anti-Virus log 58
12 Configuring the Sophos Anti-Virus GUI 59
Updating Sophos Anti-Virus
13 Updating Sophos Anti-Virus immediately 62
14 Kernel support 63
15 Configuring updating 64
Troubleshooting
16 Troubleshooting 70
3
User manual
Glossary and index
Glossary 76
Index 80
Technical support 82
Copyright 83
4

Conventions used in this manual

Where command-line input continues over more than one line, subsequent lines are shown indented, for example
/opt/sophos-av/bin/savconfig remove ExcludeFilesLike
/home/fred/Report.txt
You should type what is printed without inserting a line break.
Sophos Anti-Virus for Linux, version 6
5
User manual
6

Using Sophos Anti-Virus

About Sophos Anti-Virus for Linux
Running on-access scanning
Running on-demand scans
What happens if viruses/spyware are found?
Cleaning up viruses/spyware
Viewing the logs
User manual

1 About Sophos Anti-Virus for Linux

Sophos Anti-Virus for Linux enables you to protect your network from viruses/spyware.
1.1 User interfaces
Sophos Anti-Virus has
a command line user interface
a graphical user interface (GUI).
The command line enables you to access all the Sophos Anti-Virus functionality and to perform all configuration. The command line is the only way to use and configure on-demand scanning and updating.
You must have root privileges to use all Sophos Anti-Virus commands except savscan, which is used for on-demand scanning.
This manual assumes that you have installed Sophos Anti-Virus in the default location. Therefore, the paths of the commands described are based on this location.
The Sophos Anti-Virus GUI enables you to
check the status of on-access scanning
start and stop on-access scanning
configure archive scanning
configure what is excluded from scanning
configure alerts
view the Sophos Anti-Virus log
configure cleanup.
Although the GUI can be run by the root user (as well as other users), it doesn’t run with root privileges. Therefore, it can’t access all files on the computer.
To use the GUI, open a browser. In the address text box, type
http://localhost:8081
If you want to use a different http port in the address, configure the GUI as explained in section 12.
8
Sophos Anti-Virus for Linux, version 6
The browser displays the home page of the GUI.
When you browse to another page, the browser asks you for credentials so that you can use the GUI to configure Sophos Anti-Virus.
To find out your username, either ask your system administrator or, at the command line, type
/opt/sophos-av/bin/savconfig query HttpUsername
To find out your password, ask your system administrator.
To change your credentials, refer to section 12.
9
User manual
1.2 Scanning modes
Sophos Anti-Virus has two modes of scanning:
on-access
on-demand.
On-access scanning intercepts files as they are accessed, and grants access to only those that do not pose a threat to your network.
An on-demand scan is a virus/spyware scan of the computer, or parts of the computer, that you can run immediately or schedule to run at another time.
1.3 Integration with management console
Sophos Anti-Virus is integrated with Sophos Enterprise Console, which runs on Windows and enables network administrators to centrally manage Sophos Anti-Virus on endpoints.
10

2 Running on-access scanning

On-access scanning intercepts files as they are accessed, and grants access
to only those that do not pose a threat to your network.
This section tells you how to use on-access scanning. To configure it, refer to section 8.
2.1 Checking on-access scanning is active
Command line
Type
/opt/sophos-av/bin/savdstatus
Sophos Anti-Virus displays the status of on-access scanning.
Sophos Anti-Virus for Linux, version 6
GUI
On each page, in the Status panel, the status of on-access scanning is displayed.
2.2 Checking on-access scanning will be started automatically on system boot
Command line
Assuming that you have root privileges, type
chkconfig --list
This command might not work on TurboLinux.
11
User manual
If the list contains an entry for sav-protect with 2:on, 3:on, 4:on and 5:on, on-access scanning will be started automatically on system boot.
Otherwise, to start on-access scanning automatically on system boot, type
/opt/sophos-av/bin/savdctl enableOnBoot savd
GUI
On the Control page, in the Startup panel, see if the check box labeled Start on-access scanning on system boot is selected. If it is not, select it to
start on-access scanning automatically on system boot. Click Set to apply the change.
2.3 Starting on-access scanning
Command line
Type
/opt/sophos-av/bin/savdctl enable
GUI
On the Control page, in the Control panel, click Enable On-access Scanning.
12
2.4 Stopping on-access scanning
Command line
Type
/opt/sophos-av/bin/savdctl disable
GUI
On the Control page, in the Control panel, click Disable On-access Scanning.
Sophos Anti-Virus for Linux, version 6
13
User manual

3 Running on-demand scans

An on-demand scan is a virus/spyware scan of the computer, or parts of the computer, that you can run immediately or schedule to run at another time.
By default, Sophos Anti-Virus scans
Windows/DOS executables
.sh and .pl files
files of a type that can be infected by macro viruses
HTML files
files compressed with PKLite, LZEXE and Diet
directories below the one specified
items pointed to by symbolic links.
For a full list of the file types scanned, type
savscan -vv
For information on changing these settings, see section 9.
3.1 Scanning the computer
To scan the computer, type
savscan /
3.2 Scanning a particular directory or file
To scan a particular directory or file, use the path of the item to be scanned, for example
savscan /usr/mydirectory/myfile
3.3 Scanning a filesystem
To scan a filesystem, use the name of the filesystem, for example
savscan /home
More than one filesystem can be entered at the command line.
14
3.4 Scanning a boot sector
You can scan boot sectors of logical and physical drives.
To scan boot sectors, log in as superuser (to get sufficient permission to access the disk devices) and then use one of the commands shown below.
To scan the boot sectors of specified logical drives, type
savscan -bs=XXX, XXX, ...
where XXX is the name of a drive (for example /dev/fd0 or /dev/hda1).
To scan boot sectors for all logical drives that Sophos Anti-Virus recognises, type
savscan -bs
To scan the master boot records for all the fixed physical drives on the computer, type
Sophos Anti-Virus for Linux, version 6
savscan -mbr
3.5 Scheduling a scan
To scan the computer at set times automatically, use the crontab facility. For more information, refer to Sophos support knowledgebase article 12176 (www.sophos.com/support/knowledgebase/article/12176.html).
3.6 Error codes
savscan returns error codes if there is an error or if viruses or spyware are found.
0 If no errors are encountered and no viruses/spyware are found.
1 If the user interrupts the execution by pressing ‘Ctrl’+‘c’.
2 If some error preventing further execution of a scan is discovered.
3 If viruses/spyware or virus fragments are discovered.
15
User manual
3.6.1 Extended error codes
A different set of error codes are returned if the savscan command is run with the -eec option.
0 If no errors are encountered and no viruses/spyware are found.
8 If survivable errors have occurred.
16 If password-protected files have been found. (They are not scanned.)
20 If viruses/spyware have been found and disinfected.
24 If viruses/spyware have been found and not disinfected.
28 If viruses/spyware have been found in memory.
32 If there has been an integrity check failure.
36 If unsurvivable errors have occurred.
40 If execution has been interrupted.
16
Sophos Anti-Virus for Linux, version 6

4 What happens if viruses/spyware are found?

4.1 If viruses/spyware are found during on-access scanning
If Sophos Anti-Virus finds a virus or item of spyware during an on-access scan, it denies access to the file and displays a message box like the one shown below.
If the message box cannot be displayed, the alert is shown at the command line.
Sophos Anti-Virus also logs the event in the Sophos Anti-Virus log, and sends an alert to Enterprise Console if this is managing the computer.
Refer to section 5 for information on cleaning up viruses/spyware.
17
User manual
4.2 If viruses/spyware are found when you run an on-demand scan
If Sophos Anti-Virus finds a virus or item of spyware, it reports it on the line which starts with >>> followed by either “Virus” or “Virus Fragment”:
SAVScan virus detection utility Version X.XX.XX [Linux/Intel] Virus data version X.XX, February 2007 Includes detection for 201433 viruses, trojans and worms Copyright (c) 1989-2007 Sophos Plc, www.sophos.com
System time 10:23:49, System date 11 February 2007 Quick Scanning
>>> Virus 'EICAR-AV-Test' found in file /usr/mydirectory/eicar.src
33 files scanned in 2 seconds. 1 virus was discovered. 1 file out of 33 was infected. Please send infected samples to Sophos for analysis. For advice consult www.sophos.com, email support@sophos.com or telephone +44 1235 559933 End of Scan.
Sophos Anti-Virus also logs the event in the Sophos Anti-Virus log.
Refer to section 5 for information on cleaning up viruses/spyware.
18

5 Cleaning up viruses/spyware

5.1 Getting cleanup information
If viruses/spyware are reported, you can get information and cleanup advice from the Sophos website. Go to the threat analyses page (www.sophos.com/security/analyses). Search for the analysis of the virus or item of spyware, by using the name that was reported by Sophos Anti-Virus.
5.2 Quarantining infected files
You can configure Sophos Anti-Virus to put infected files into quarantine (i.e. to prevent them from being accessed). It does this by changing the ownership and permissions for the file.
Sophos Anti-Virus for Linux, version 6
To specify quarantining, type
savscan PATH --quarantine
where PATH is the path to be scanned.
By default, Sophos Anti-Virus changes
the user ownership of an infected file to the user running Sophos
Anti-Virus
the group ownership of the file to the group to which that user belongs
the file permissions to -r -------- (0400).
If you prefer, you can change the user or group ownership and file permissions that Sophos Anti-Virus applies to infected files. You do so by using these parameters:
uid=NNN user=USERNAME gid=NNN group=GROUP-NAME mode=PPP
You cannot specify more than one parameter of each type, e.g. you cannot enter the same username twice, or enter a uid and a username.
For each parameter you do not specify, the default setting (as given above) is used.
For example:
19
User manual
savscan fred --quarantine:user=virus,group=virus,mode=0400
will change an infected file’s user ownership to virus, the group ownership to virus, and the file permissions to -r--------. This means the file is owned by the user virus and group virus, but only the user virus can access the file (and only for reading). No one else can do anything to the file (apart from root).
If you specify disinfection (refer to section 5.3) as well as quarantining, Sophos Anti-Virus attempts to disinfect infected items and quarantines them only if disinfection fails.
5.3 Setting up automatic cleanup for on-demand scanning
Sophos Anti-Virus can disinfect or delete infected items automatically, when you run an on-demand scan. Any actions that Sophos Anti-Virus takes against infected items are listed in the scan summary and logged in the Sophos Anti-Virus log. By default, automatic cleanup is disabled.
The method you use depends on whether you want to clean up a file or a boot sector.
5.3.1 Cleaning up files
To disinfect a specific file, type
savscan FILE-PATH -di
Alternatively, to disinfect all files on the computer, type
savscan / -di
In either case, Sophos Anti-Virus asks for confirmation before it disinfects.
Disinfection of documents does not repair any changes the virus has made in the document. (Refer to section 5.1 to find out how to view details on the Sophos website of the virus’s side-effects.)
To delete a specific infected file, type
savscan FILE-PATH -remove
Alternatively, to delete all infected files on the computer, type
20
savscan / -remove
In either case, Sophos Anti-Virus asks for confirmation before it deletes.
5.3.2 Disinfecting a boot sector
To disinfect a boot sector, type
savscan -bs=XXX -di
where XXX is the name of a drive.
For example, to eliminate a virus in the floppy drive, type
savscan -bs=/dev/fd0 -di
5.4 Recovering from virus side-effects
Recovery from virus infection depends on how the virus infected the computer. Some viruses leave you with no side-effects to deal with, others may have such extreme side-effects that you have to restore a hard disk in order to recover.
Sophos Anti-Virus for Linux, version 6
Some viruses gradually make minor changes to data. This type of corruption can be hard to detect. It is therefore very important that you read the virus analysis on the Sophos website, and check documents carefully after disinfection.
Sound backups are crucial. If you did not have them before you were infected, start keeping them in case of future infections.
Sometimes you can recover data from disks damaged by a virus. Sophos can supply utilities for repairing the damage caused by some viruses. Contact Sophos technical support for advice.
21
User manual

6 Viewing the logs

Sophos Anti-Virus logs details of scanning activity in the Sophos Anti-Virus log and syslog. In addition, virus/spyware and error events are logged in the Sophos Anti-Virus log. Messages in the Sophos Anti-Virus log are translated into the languages that the product supports.
Command line
Use the command savlog. This can be used with various command-line options to restrict the output to certain messages and control the display. For example, to display all messages logged to the Sophos Anti-Virus log in the last 24 hours, and to display the date and time in UTC/ISO 8601 format, type
/opt/sophos-av/bin/savlog --today --utc
To see a complete list of the options that can be used with savlog, type
man savlog
22
GUI
Go to the Log Viewer page.
Sophos Anti-Virus for Linux, version 6
Using the text boxes and radio buttons in the Log Selection panel, specify the messages that you want to display. Then click View Log to display the messages in the Log Contents panel.
23
User manual
24

Configuring Sophos Anti-Virus

Overview of configuration
Configuring on-access scanning
Configuring on-demand scanning
Configuring alerts
Configuring the Sophos Anti-Virus log
Configuring the Sophos Anti-Virus GUI
User manual

7 Overview of configuration

This section applies to all configuration except that for on-demand scanning, which is explained in section 9. Use of Sophos Enterprise Console or the commands savconfig or savsetup has no effect on on-demand scanning.
7.1 Console-based configuration of Sophos Anti-Virus across a
network
You can manage version 6 of Sophos Anti-Virus on endpoints using Enterprise Console, which runs on Windows. It enables you to perform most configuration using a user-friendly GUI. Installation of the console is described in the Sophos Endpoint Security and Control network startup guide, published at www.sophos.com/support/docs/ and on the Sophos CDs.
For more information on using the console to configure Sophos Anti-Virus, refer to the console help. Also, if you use the console, the following apply concerning configuration:
Parameters that cannot be set using the console can be set on each
endpoint locally, using savconfig (section 7.4). These parameters are ignored by the console.
Auto-updating is configured using only the console: it can’t be configured
on the endpoint.
Sophos does not support the use of console-based and CID-based configuration, formerly known as corporate configuration, together. If you used CID-based configuration with version 5 of Sophos Anti-Virus, you must choose whether to continue using this or to start using Enterprise Console instead. If you choose to start using Enterprise Console, refer to Sophos support knowledgebase article 22297 (www.sophos.com/support/knowledgebase/article/22297.html).
7.2 CID-based configuration of Sophos Anti-Virus across a network
26
Central installation directory (CID)-based configuration, formerly known as corporate configuration, doesn’t require a Windows computer. It involves making changes to a configuration file that is stored in the CID, by setting the values of parameters using the command savconfig (section 7.4). Then, when endpoints update from the CID, they use this configuration. You can also lock any parameters so that they can’t be modified on endpoints. In this way, you can determine the configuration of Sophos Anti-Virus on each endpoint, without fear that the settings will be changed by an endpoint user.
Sophos Anti-Virus for Linux, version 6
There are two configuration files: the live configuration file in the CID and the offline configuration file stored elsewhere. When you want to change the live file, you change the offline file, and use a program to replace the live file with the offline file.
7.2.1 Creating the live configuration file in the CID
1. Create the offline configuration file in a directory of your choice other than
the CID. You must use the command savconfig, and specify
the name of the offline file, including the filename extension cfg
that you are accessing the Corporate layer of the file (for more
information on layers, refer to section 7.2.3)
the setting of a parameter.
Use the following syntax:
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set PARAMETER VALUE
where CONFIG-FILE is the path of the offline file, -c indicates that you want to access the Corporate layer, “set” indicates that you want to set the value of a parameter, PARAMETER is the parameter that you want to set and VALUE is the value to which you want to set the parameter. For example, to create a file called CIDconfig.cfg and to start on-access scanning when the Sophos Anti-Virus daemon is started, type
/opt/sophos-av/bin/savconfig -f CIDconfig.cfg -c set EnableOnStart
Enabled
For information on using savconfig, refer to section 7.4.
2. Set other parameters, as necessary, using the command savconfig. You must
specify the name of the offline file and that you are accessing the Corporate layer, as above.
3. To view the settings of parameters, use the query operation. You can view
the setting of an individual parameter or all parameters. For example, to view the settings of all the parameters that you have set, type
/opt/sophos-av/bin/savconfig -f CIDconfig.cfg -c query
4. When you have finished setting parameters, run the addcfg utility to copy
the configuration to the CID, ready for endpoints to download when they next update. The utility is in the CID. Depending on where the CID is, type
/opt/sophos-av/update/cache/Primary/addcfg.sh -f CONFIG-FILE
where CONFIG-FILE is the path of the offline file.
27
Loading...
+ 62 hidden pages