This user manual explains how to use Sophos Anti-Virus for Linux and how
to configure
virus/spyware scanning
virus/spyware alerts
cleanup
logging
updating.
The manual also provides help in resolving common problems.
If you want to install, upgrade, or uninstall Sophos Anti-Virus on networked
and single Linux computers, refer to the Sophos Anti-Virus for Linux, version6 startup guide.
If you want to install Sophos Anti-Virus on a mixed Linux and Windows
network, or you want to centrally manage Sophos Anti-Virus using Sophos
Enterprise Console, refer to the Sophos Endpoint Security and Controlnetwork startup guide.
If you want to upgrade Sophos Anti-Virus version 5 and you are using
EM Library, refer to the Sophos Endpoint Security and Control networkupgrade guide.
Sophos documentation is published at www.sophos.com/support/docs/ and
on the Sophos CDs.
2
Contents
Conventions used in this manual5
Using Sophos Anti-Virus
1 About Sophos Anti-Virus for Linux8
2 Running on-access scanning11
3 Running on-demand scans14
4 What happens if viruses/spyware are found?17
5 Cleaning up viruses/spyware19
Sophos Anti-Virus for Linux, version 6
6 Viewing the logs22
Configuring Sophos Anti-Virus
7 Overview of configuration26
8 Configuring on-access scanning32
9 Configuring on-demand scanning40
10 Configuring alerts50
11 Configuring the Sophos Anti-Virus log58
12 Configuring the Sophos Anti-Virus GUI59
Updating Sophos Anti-Virus
13 Updating Sophos Anti-Virus immediately62
14 Kernel support63
15 Configuring updating64
Troubleshooting
16 Troubleshooting70
3
User manual
Glossary and index
Glossary76
Index80
Technical support82
Copyright83
4
Conventions used in this manual
Where command-line input continues over more than one line, subsequent
lines are shown indented, for example
You should type what is printed without inserting a line break.
Sophos Anti-Virus for Linux, version 6
5
User manual
6
Using Sophos Anti-Virus
About Sophos Anti-Virus for Linux
Running on-access scanning
Running on-demand scans
What happens if viruses/spyware are found?
Cleaning up viruses/spyware
Viewing the logs
User manual
1 About Sophos Anti-Virus for Linux
Sophos Anti-Virus for Linux enables you to protect your network from
viruses/spyware.
1.1 User interfaces
Sophos Anti-Virus has
a command line user interface
a graphical user interface (GUI).
The command line enables you to access all the Sophos Anti-Virus
functionality and to perform all configuration. The command line is the only
way to use and configure on-demand scanning and updating.
You must have root privileges to use all Sophos Anti-Virus commands
except savscan, which is used for on-demand scanning.
This manual assumes that you have installed Sophos Anti-Virus in the
default location. Therefore, the paths of the commands described are based
on this location.
The Sophos Anti-Virus GUI enables you to
check the status of on-access scanning
start and stop on-access scanning
configure archive scanning
configure what is excluded from scanning
configure alerts
view the Sophos Anti-Virus log
configure cleanup.
Although the GUI can be run by the root user (as well as other users), it
doesn’t run with root privileges. Therefore, it can’t access all files on the
computer.
To use the GUI, open a browser. In the address text box, type
http://localhost:8081
If you want to use a different http port in the address, configure the GUI as
explained in section 12.
8
Sophos Anti-Virus for Linux, version 6
The browser displays the home page of the GUI.
When you browse to another page, the browser asks you for credentials so
that you can use the GUI to configure Sophos Anti-Virus.
To find out your username, either ask your system administrator or, at the
command line, type
/opt/sophos-av/bin/savconfig query HttpUsername
To find out your password, ask your system administrator.
To change your credentials, refer to section 12.
9
User manual
1.2 Scanning modes
Sophos Anti-Virus has two modes of scanning:
on-access
on-demand.
On-access scanning intercepts files as they are accessed, and grants access
to only those that do not pose a threat to your network.
An on-demand scan is a virus/spyware scan of the computer, or parts of
the computer, that you can run immediately or schedule to run at another
time.
1.3 Integration with management console
Sophos Anti-Virus is integrated with Sophos Enterprise Console, which runs
on Windows and enables network administrators to centrally manage
Sophos Anti-Virus on endpoints.
10
2 Running on-access scanning
On-access scanning intercepts files as they are accessed, and grants access
to only those that do not pose a threat to your network.
This section tells you how to use on-access scanning. To configure it, refer
to section 8.
2.1 Checking on-access scanning is active
Command line
Type
/opt/sophos-av/bin/savdstatus
Sophos Anti-Virus displays the status of on-access scanning.
Sophos Anti-Virus for Linux, version 6
GUI
On each page, in the Status panel, the status of on-access scanning is
displayed.
2.2 Checking on-access scanning will be started automatically on
system boot
Command line
Assuming that you have root privileges, type
chkconfig --list
This command might not work on TurboLinux.
11
User manual
If the list contains an entry for sav-protect with 2:on, 3:on, 4:on and 5:on,
on-access scanning will be started automatically on system boot.
Otherwise, to start on-access scanning automatically on system boot, type
/opt/sophos-av/bin/savdctl enableOnBoot savd
GUI
On the Control page, in the Startup panel, see if the check box labeled
Start on-access scanning on system boot is selected. If it is not, select it to
start on-access scanning automatically on system boot. Click Set to apply
the change.
2.3 Starting on-access scanning
Command line
Type
/opt/sophos-av/bin/savdctl enable
GUI
On the Control page, in the Control panel, click Enable On-access
Scanning.
12
2.4 Stopping on-access scanning
Command line
Type
/opt/sophos-av/bin/savdctl disable
GUI
On the Control page, in the Control panel, click Disable On-access
Scanning.
Sophos Anti-Virus for Linux, version 6
13
User manual
3 Running on-demand scans
An on-demand scan is a virus/spyware scan of the computer, or parts of
the computer, that you can run immediately or schedule to run at another
time.
By default, Sophos Anti-Virus scans
Windows/DOS executables
.sh and .pl files
files of a type that can be infected by macro viruses
HTML files
files compressed with PKLite, LZEXE and Diet
directories below the one specified
items pointed to by symbolic links.
For a full list of the file types scanned, type
savscan -vv
For information on changing these settings, see section 9.
3.1 Scanning the computer
To scan the computer, type
savscan /
3.2 Scanning a particular directory or file
To scan a particular directory or file, use the path of the item to be
scanned, for example
savscan /usr/mydirectory/myfile
3.3 Scanning a filesystem
To scan afilesystem, use the name of the filesystem, for example
savscan /home
More than one filesystem can be entered at the command line.
14
3.4 Scanning a boot sector
You can scan boot sectors of logical and physical drives.
To scan boot sectors, log in as superuser (to get sufficient permission to
access the disk devices) and then use one of the commands shown below.
To scan the boot sectors of specified logical drives, type
savscan -bs=XXX, XXX, ...
where XXX is the name of a drive (for example /dev/fd0 or /dev/hda1).
To scan boot sectors for all logical drives that Sophos Anti-Virus recognises,
type
savscan -bs
To scan the master boot records for all the fixed physical drives on the
computer, type
Sophos Anti-Virus for Linux, version 6
savscan -mbr
3.5 Scheduling a scan
To scan the computer at set times automatically, use the crontab facility.
For more information, refer to Sophos support knowledgebase article
12176 (www.sophos.com/support/knowledgebase/article/12176.html).
3.6 Error codes
savscan returns error codes if there is an error or if viruses or spyware are
found.
0If no errors are encountered and no viruses/spyware are found.
1If the user interrupts the execution by pressing ‘Ctrl’+‘c’.
2If some error preventing further execution of a scan is discovered.
3If viruses/spyware or virus fragments are discovered.
15
User manual
3.6.1 Extended error codes
A different set of error codes are returned if the savscan command is run
with the -eec option.
0If no errors are encountered and no viruses/spyware are found.
8If survivable errors have occurred.
16 If password-protected files have been found. (They are not scanned.)
20 If viruses/spyware have been found and disinfected.
24 If viruses/spyware have been found and not disinfected.
28 If viruses/spyware have been found in memory.
32 If there has been an integrity check failure.
36 If unsurvivable errors have occurred.
40 If execution has been interrupted.
16
Sophos Anti-Virus for Linux, version 6
4 What happens if viruses/spyware are found?
4.1 If viruses/spyware are found during on-access scanning
If Sophos Anti-Virus finds a virus or item of spyware during an on-access
scan, it denies access to the file and displays a message box like the one
shown below.
If the message box cannot be displayed, the alert is shown at the command
line.
Sophos Anti-Virus also logs the event in the Sophos Anti-Virus log, and
sends an alert to Enterprise Console if this is managing the computer.
Refer to section 5 for information on cleaning up viruses/spyware.
17
User manual
4.2 If viruses/spyware are found when you run an on-demand scan
If Sophos Anti-Virus finds a virus or item of spyware, it reports it on the line
which starts with >>> followed by either “Virus” or “Virus Fragment”:
SAVScan virus detection utility
Version X.XX.XX [Linux/Intel]
Virus data version X.XX, February 2007
Includes detection for 201433 viruses, trojans and worms
Copyright (c) 1989-2007 Sophos Plc, www.sophos.com
System time 10:23:49, System date 11 February 2007
Quick Scanning
>>> Virus 'EICAR-AV-Test' found in file /usr/mydirectory/eicar.src
33 files scanned in 2 seconds.
1 virus was discovered.
1 file out of 33 was infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
End of Scan.
Sophos Anti-Virus also logs the event in the Sophos Anti-Virus log.
Refer to section 5 for information on cleaning up viruses/spyware.
18
5 Cleaning up viruses/spyware
5.1 Getting cleanup information
If viruses/spyware are reported, you can get information and cleanup
advice from the Sophos website. Go to the threat analyses page
(www.sophos.com/security/analyses). Search for the analysis of the virus
or item of spyware, by using the name that was reported by Sophos
Anti-Virus.
5.2 Quarantining infected files
You can configure Sophos Anti-Virus to put infected files into quarantine
(i.e. to prevent them from being accessed). It does this by changing the
ownership and permissions for the file.
Sophos Anti-Virus for Linux, version 6
To specify quarantining, type
savscan PATH --quarantine
where PATH is the path to be scanned.
By default, Sophos Anti-Virus changes
the user ownership of an infected file to the user running Sophos
Anti-Virus
the group ownership of the file to the group to which that user belongs
the file permissions to -r -------- (0400).
If you prefer, you can change the user or group ownership and file
permissions that Sophos Anti-Virus applies to infected files. You do so by
using these parameters:
You cannot specify more than one parameter of each type, e.g. you cannot
enter the same username twice, or enter a uid and a username.
For each parameter you do not specify, the default setting (as given above)
is used.
For example:
19
User manual
savscan fred --quarantine:user=virus,group=virus,mode=0400
will change an infected file’s user ownership to virus, the group ownership
to virus, and the file permissions to -r--------. This means the file is owned
by the user virus and group virus, but only the user virus can access the file
(and only for reading). No one else can do anything to the file (apart from
root).
If you specify disinfection (refer to section 5.3) as well as quarantining,
Sophos Anti-Virus attempts to disinfect infected items and quarantines
them only if disinfection fails.
5.3 Setting up automatic cleanup for on-demand scanning
Sophos Anti-Virus can disinfect or delete infected items automatically, when
you run an on-demand scan. Any actions that Sophos Anti-Virus takes
against infected items are listed in the scan summary and logged in the
Sophos Anti-Virus log. By default, automatic cleanup is disabled.
The method you use depends on whether you want to clean up a file or a
boot sector.
5.3.1 Cleaning up files
To disinfect a specific file, type
savscan FILE-PATH -di
Alternatively, to disinfect all files on the computer, type
savscan / -di
In either case, Sophos Anti-Virus asks for confirmation before it disinfects.
Disinfection of documents does not repair any changes the virus has made
in the document. (Refer to section 5.1 to find out how to view details on
the Sophos website of the virus’s side-effects.)
To delete a specific infected file, type
savscan FILE-PATH -remove
Alternatively, to delete all infected files on the computer, type
20
savscan / -remove
In either case, Sophos Anti-Virus asks for confirmation before it deletes.
5.3.2 Disinfecting a boot sector
To disinfect a boot sector, type
savscan -bs=XXX -di
where XXX is the name of a drive.
For example, to eliminate a virus in the floppy drive, type
savscan -bs=/dev/fd0 -di
5.4 Recovering from virus side-effects
Recovery from virus infection depends on how the virus infected the
computer. Some viruses leave you with no side-effects to deal with, others
may have such extreme side-effects that you have to restore a hard disk in
order to recover.
Sophos Anti-Virus for Linux, version 6
Some viruses gradually make minor changes to data. This type of
corruption can be hard to detect. It is therefore very important that you
read the virus analysis on the Sophos website, and check documents
carefully after disinfection.
Sound backups are crucial. If you did not have them before you were
infected, start keeping them in case of future infections.
Sometimes you can recover data from disks damaged by a virus. Sophos
can supply utilities for repairing the damage caused by some viruses.
Contact Sophos technical support for advice.
21
User manual
6 Viewing the logs
Sophos Anti-Virus logs details of scanning activity in the Sophos Anti-Virus
log and syslog. In addition, virus/spyware and error events are logged in
the Sophos Anti-Virus log. Messages in the Sophos Anti-Virus log are
translated into the languages that the product supports.
Command line
Use the command savlog. This can be used with various command-line
options to restrict the output to certain messages and control the display.
For example, to display all messages logged to the Sophos Anti-Virus log in
the last 24 hours, and to display the date and time in UTC/ISO 8601
format, type
/opt/sophos-av/bin/savlog --today --utc
To see a complete list of the options that can be used with savlog, type
man savlog
22
GUI
Go to the Log Viewer page.
Sophos Anti-Virus for Linux, version 6
Using the text boxes and radio buttons in the Log Selection panel, specify
the messages that you want to display. Then click View Log to display the
messages in the Log Contents panel.
23
User manual
24
Configuring Sophos Anti-Virus
Overview of configuration
Configuring on-access scanning
Configuring on-demand scanning
Configuring alerts
Configuring the Sophos Anti-Virus log
Configuring the Sophos Anti-Virus GUI
User manual
7 Overview of configuration
This section applies to all configuration except that for on-demand scanning,
which is explained in section 9. Use of Sophos Enterprise Console or the
commands savconfig or savsetup has no effect on on-demand scanning.
7.1 Console-based configuration of Sophos Anti-Virus across a
network
You can manage version 6 of Sophos Anti-Virus on endpoints using
Enterprise Console, which runs on Windows. It enables you to perform most
configuration using a user-friendly GUI. Installation of the console is
described in the Sophos Endpoint Security and Control network startupguide, published at www.sophos.com/support/docs/ and on the Sophos
CDs.
For more information on using the console to configure Sophos Anti-Virus,
refer to the console help. Also, if you use the console, the following apply
concerning configuration:
Parameters that cannot be set using the console can be set on each
endpoint locally, using savconfig (section 7.4). These parameters are
ignored by the console.
Auto-updating is configured using only the console: it can’t be configured
on the endpoint.
Sophos does not support the use of console-based and CID-based
configuration, formerly known as corporate configuration, together. If you
used CID-based configuration with version 5 of Sophos Anti-Virus, you must
choose whether to continue using this or to start using Enterprise Console
instead. If you choose to start using Enterprise Console, refer to Sophos
support knowledgebase article 22297
(www.sophos.com/support/knowledgebase/article/22297.html).
7.2 CID-based configuration of Sophos Anti-Virus across a network
26
Central installation directory (CID)-based configuration, formerly known as
corporate configuration, doesn’t require a Windows computer. It involves
making changes to a configuration file that is stored in the CID, by setting
the values of parameters using the command savconfig (section 7.4). Then,
when endpoints update from the CID, they use this configuration. You can
also lock any parameters so that they can’t be modified on endpoints. In this
way, you can determine the configuration of Sophos Anti-Virus on each
endpoint, without fear that the settings will be changed by an endpoint user.
Sophos Anti-Virus for Linux, version 6
There are two configuration files: the live configuration file in the CID and
the offline configuration file stored elsewhere. When you want to change the
live file, you change the offline file, and use a program to replace the live file
with the offline file.
7.2.1 Creating the live configuration file in the CID
1. Create the offline configuration file in a directory of your choice other than
the CID. You must use the command savconfig, and specify
the name of the offline file, including the filename extension cfg
that you are accessing the Corporate layer of the file (for more
information on layers, refer to section 7.2.3)
the setting of a parameter.
Use the following syntax:
/opt/sophos-av/bin/savconfig -f CONFIG-FILE -c set PARAMETER VALUE
where CONFIG-FILE is the path of the offline file, -c indicates that you want
to access the Corporate layer, “set” indicates that you want to set the value
of a parameter, PARAMETER is the parameter that you want to set and
VALUE is the value to which you want to set the parameter. For example, to
create a file called CIDconfig.cfg and to start on-access scanning when the
Sophos Anti-Virus daemon is started, type
/opt/sophos-av/bin/savconfig -f CIDconfig.cfg -c set EnableOnStart
Enabled
For information on using savconfig, refer to section 7.4.
2. Set other parameters, as necessary, using the command savconfig. You must
specify the name of the offline file and that you are accessing the Corporate
layer, as above.
3. To view the settings of parameters, use the query operation. You can view
the setting of an individual parameter or all parameters. For example, to
view the settings of all the parameters that you have set, type