Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

* * * * * 6 votes

Sophos Antivirus For Linux


  • Please log in to reply
61 replies to this topic

#1 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 07 June 2015 - 02:19 AM

Sophos Antivirus For Linux:


iM9vdK8.png
 
Guide Overview

Just wanted to share my opinion thus far of the product, describe how to install it, and show how to do some useful things.

Tools Needed
  • Supported GNU/Linux operating system
  • Internet Access
Description

Sophos Antivirus For Linux is an anti-malware for Linux capable of both automatic protection, and on-demand scanning.

Review

I've not done any comparison of Sophos's malware definitions compared to their competators, but based on the features provided, my first impression of Sophos Antivirus For Linux is that it's the best anti-malware for Linux I've tried to date. It has both a CLI and (limited) web-GUI, an easy to use installer, it's FREE, and can be used for manual or automatic protection. That's not to say the product is perfect, it isn't! It's important to keep in mind I've only been using this for a day so perhaps there are still pitfalls to be discovered I'm sure.

Pros:
- Free (There is also a premium paid version that includes updates, support, and management.)
- Scans for Linux malware (in addition to Windows malware).
- Command-line interface
- Easy to install
- Easy to perform manual scans
- Supports disabling on-access scanning
- Supports disabling automatic updates
- Using space-bar one can skip to the end of the license agreement during the installation process. This comes in handy
when doing re-installs.
- Web-based graphical interface.
- CLI installer
- Supports several distros
- Data collection by Sophos can be disabled
- Comes as an all-inclusive download.
- Commands are build around usage with a root account, rather than assuming the use of Sudo.

Cons:
- Does not specify what percentage of their definitions are for Linux malware.
- No information is provided on the quality of the definitions.
- No direct download link is provided. In order to download you have to provide you name and email address, and accept
an agreement.
- Not available in default APT software repos for Ubuntu, Debian, etc, or in Sophos managed repos.
- No desktop GUI interface.
- Not all featues available from the web-GUI. Cannot even perform a scan!
- Doesn't come with instructions. There are a couple PDFs with instructions on their site: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/savl_9_sgeng.pdf , https://www.sophos.com/en-us/medialibrary/PDFs/documentation/savl_9_cgeng.pdf .
- Command-line usage is awkard, some commands just require the executable name while others require the entire path.
- No graphical installer
- Data collection by Sophos is enabled by default.

Installation Instructions
These are generic instructions, and should work for most distros assuming they use Sudo and meet the system requirements to run Sophos Antivirus For Linux. For non-Sudo distros use the root account, remove "sudo" from the beginning of the commands, and use full paths. Sophos seems to be built with root in mind, but I've not noticed any issues using Sudo.

1. Download it from https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx to your user folder.
2. Type:
tar -xzvf ~/sav-linux-free-9.9.tgz -C ~/
3. Type:
sudo ~/sophos-av/install.sh
4. Complete the installer.

CLI Usage Instructions
- See list of scanning options:
savscan -h
- Perform a manual file or folder scan:
sudo savscan -sc -rec -dn -c -archive -pua -suspicious --stay-on-filesystem --stay-on-machine --backtrack-protection --preserve-backtrack --examine-x-bit --show-file-details /directory/file
(You only need to use Sudo when scanning files you don't own. This doesn't delete detections, to do so add "-remove". This doesn't scan mount points, to do remove "--stay-on-filesystem".)

- See list of log viewing options:
man savlog
- Check scan logs:
sudo /opt/sophos-av/bin/savlog --today
(This will only display results for today.)

- Check status of on-access scanning:
sudo /opt/sophos-av/bin/savdstatus
- Enable on-access scanning:
sudo /opt/sophos-av/bin/savdctl enable
- Disable on-access scanning:
sudo /opt/sophos-av/bin/savdctl disable
- Scan Volume Boot Records:
sudo savscan -bs=/dev/sda1
(To scan multiple VBRs use a comma to seperate them eg:"sudo savscan -bs=/dev/sda1,/dev/sda2".)

- Scan Master Boot Records (all fixed drives):
sudo savscan -mbr
- Check to see if Live Protection (an automatic cloud lookup feature) is enabled:
sudo /opt/sophos-av/bin/savconfig query LiveProtection
- Turn Live Protection On:
sudo /opt/sophos-av/bin/savconfig set LiveProtection true
- Turn Live Protection Off:
sudo /opt/sophos-av/bin/savconfig set LiveProtection false
- Install Updates:
sudo /opt/sophos-av/bin/savupdate
(This only works if Sophos was configured to install updates from either Sophos, or your own update server.)

- Enable automatic updates from Sophos (Only for premium users):
sudo /opt/sophos-av/bin/savsetup
enter "1" and press "enter"
enter "2" and press "enter"
enter your username and press "enter". (From your license.)
enter your password and press "enter". (From your license.)
enter "N" and press "enter".
enter "q" and press "enter".

- Disable automatic updates from Sophos:
sudo /opt/sophos-av/bin/savsetup
enter "1" and press "enter"
enter "3" and press "enter"
http://localhost
full stop
press "enter"
type "N" and press "enter"
type "q" and press "enter"
(Unlike during the installation process, where you could choose to update from Sophos, your own update server, or
no server, no server is not listed as an option. You can however choose localhost, which will result in no updates
being downloaded unless your computer is already an update server.)

- Open GUI:
Open your browser, and visit:
http://localhost:8081
(Only works if you've configured the GUI first.)

- Configure GUI:
sudo /opt/sophos-av/bin/savsetup
enter "2" and press "enter".
enter "Y" and press "enter".
press "enter".
press "enter".
choose a password and press "enter".

- Check If Data Collection By Sophos Is Enabled:
sudo /opt/sophos-av/bin/savconfig query DisableFeedback
(By default it is.)(True=data collection is off, False=data collection is on.)

- Disable Data Collection By Sophos:
sudo /opt/sophos-av/bin/savconfig set DisableFeedback true
- Enable Data Collection By Sophos:
sudo /opt/sophos-av/bin/savconfig set DisableFeedback false
Web-GUI Usage Instructions

- Open GUI:
Open your browser, and visit:
http://localhost:8081
(Only works if you've configured the GUI first. See the CLI commands for instructions.)

- Enable on-access scanning:
In the Welcome area click on Control, enter your username and password when prompted to, and click Enable On-access Scanning.

- Disable on-access scanning:
In the Welcome area click on Control, enter your username and password when prompted to, and click Disable On-access Scanning.

- View Logs:
In the "Welcome" area click on "Log Viewer", enter your username and password when prompted to, enter a date (eg: "Sat Jun 6 01:00:00 2015") in the "Display log entries after" box, choose a max number (eg: 200), and click "View Log".

References
- Sophos Anti-Virus for Linux startup guide
- Sophos Anti-Virus for Linux configuration guide
- https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx
- "savscan -h"
- "man savlog"
- https://www.sophos.com/en-us/support/knowledgebase/121214.aspx
- Search UUID: 9k@4biT--b8aSveiD@rA%9hF1W7XaKVkkgmzoyMOY218Lq21YAzK#QpJWtqo

BC AdBot (Login to Remove)

 


m

#2 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,668 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA

Posted 09 June 2015 - 12:14 AM

hollowface, Thanks for sharing! :thumbup2:

 

Hopefully some of our members & viewers can make use of this outstanding tutorial you've created. I'm going to have to give this a shot on one of my Linux installs, to gain some experience & to see the effectiveness of the protection offered. It was brought up in another Topic over here a couple of days ago, and the cons you bring up is why I didn't bother with it on my main PC (though I didn't see your Topic then). 

 

http://www.bleepingcomputer.com/forums/t/578058/5-tips-to-improve-your-linux-desktop-security/

 

Still I want to check it out, and it may be just what's needed for those who shares files with Windows users or for a mail server. 

 

I'm no stranger to Sophos, actually run their Free virus scanner monthly on my Windows computers, and if one has a spare PC with a Intel Core Duo 2.0 or better, they offer a Linux based OS at no charge to turn that computer into a powerful standalone hardware Firewall, great for parental & guest control over one's network, in addition to the other benefits of a dedicated Firewall appliance. The only component needed is an Ethernet outbound card (PCI/PCIe), to plug a router into, of which there's some older Intel models on eBay for $20 or so. 

 

I'll have to give the Sophos for Linux protection a chance, the instructions weren't laid out as simple as you've shown us.  :)

 

Cat


ASUS Z97-PRO Gamer PC. EVGA GTX 1070 FTW + ACX 3.0 8GB GDDR5 GPU! 4K!  http://speccy.piriform.com/results/w3mBsNE6cJXW7on5sbNTFDc  (Updated 10/07/2017)

ASRock Z97 Extreme6, EVGA GTX 1060 FTW + ACX 3.0 6GB GDDR5 GPU! http://speccy.piriform.com/results/tbdS4YKHBvWROeKETAMBRKk  (Updated 04/12/2017))                                                                       

Dell XPS 8700, Revived from the Dead, EVGA GTX 1060 SSC + ACX 3.0 6GB GDDR5 GPU! http://speccy.piriform.com/results/KrNXc5IZ6HmJvrrLVSZbGzi  (Updated 05/17/2017)

ASUS 970 PRO Gaming AURA, with a cool running AMD Phenom x4 965 CPU! http://speccy.piriform.com/results/c0aVnEnmxFmqX5Pf1nOhCKf   (Updated 10/10/2017)

Dell Dimension 2400 Rebuild, Done the Right Way! http://speccy.piriform.com/results/MLv5xbYuI2vsLqvtS4PaDGB  (Updated 10/20/2017)


#3 pcpunk

pcpunk

  • Members
  • 4,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:32 PM

Posted 14 June 2015 - 03:17 AM

Concerning this quote:

"1. Download it from https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx to your user folder."

 

You mean "usr" right? and is considered one of the root files right?  This is where I clicked on the Up-Arrow to get to.

 

Great tutorial by the way!


Edited by pcpunk, 14 June 2015 - 03:17 AM.

sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#4 Al1000

Al1000

  • Global Moderator
  • 5,919 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:12:32 PM

Posted 14 June 2015 - 08:52 AM

Your user folder is the one that's named after your user name, and will be in /home. For example my username on my computer is al, and my user folder is /home/al

You may (or may not) have issues with permissions if you put Sophos in your usr directory (/folder). If you do have any problems that you would like advice with please start a thread in the main Linux forum.

Edited by Al1000, 14 June 2015 - 08:53 AM.


#5 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 14 June 2015 - 04:20 PM

You mean "usr" right? and is considered one of the root files right?


Al1000 is correct, I am refering to the folder assigned to your user account. For example my account name is "example1" so my user folder is located at "/home/example1". You'll notice in steps 2 and 3 that the commands there use "~/" in their paths, which is a shorthand for your user folder. If you save the Sophos download somewhere else make sure to adjust the paths in steps 2 and 3 accordingly. I would not recommend saving to "/usr" as it's owned by Root, and will require elevated priviledges to save a file to (giving your browser the elevated privildges needed to
save "/usr" would put your system at risk)
.

#6 paul88ks

paul88ks

  • Members
  • 1,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas,Texas
  • Local time:05:32 PM

Posted 21 June 2015 - 03:25 AM

When i download this it is automatically saved to Archive manager- i have no idea how to unroll the tarball- and none of the suggestions posted here seem to work - I know i am missing something very basic here- but i don't know what it is-? i will be happy to move this to the proper forum if i knew what that was - seems I am running around in circles- confused!



#7 paul88ks

paul88ks

  • Members
  • 1,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas,Texas

Posted 21 June 2015 - 03:31 AM

all i get is 'command not found"



#8 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 21 June 2015 - 03:36 PM

@paul88ks

I forget which distro and browser you are using, but these steps use the Tar program, and assume the tar archive is saved to your user folder. If your browser is automatically opening it with Archive Manager, that should be fine (not sure if you'll end up with a copy of the tar archive saved to your system or not, in case you're wanting to keep a copy, as I don't download files this way). Use Archive Manager to extract the tar archive contents instead of using the Tar program. To do so:

 

1. Click "extract".

YWE37G3.png

 

2. Choose your user folder as the extraction location.

ZMbOqJD.png
 

3. After the extraction process completes you can exit Archive Manager and proceed to the next step (step 3) in the installation instructions.

cHoaZZC.png

 

 

If you would prefer to use the Tar program to extract the tar archive you'll need to change your browse settings, or find out where it's saving the file to. You can usually change your web-browser preferences so that it will download things to a directory of your choice, or so that it will always prompt for a save location before downloading anything.



#9 paul88ks

paul88ks

  • Members
  • 1,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas,Texas
  • Local time:11:32 AM

Posted 22 June 2015 - 04:17 AM

Tar file extracted to home folder- but when I click on it - it is blank- no files showing



#10 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 22 June 2015 - 05:04 PM

Perhaps the download didn't get the full file? Do you still have a copy of the tar archive?



#11 pcpunk

pcpunk

  • Members
  • 4,883 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:11:32 AM

Posted 22 June 2015 - 10:43 PM

Maybe paul sent them somewhere else during his attempts to get this working?


sBCcBvM.png

Created by Mike_Walsh

 

KDE, Ruler of all Distro's

eps2.4_m4ster-s1ave.aes_pcpunk_leavemehere

 


#12 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,668 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA

Posted 22 June 2015 - 11:10 PM

Maybe paul sent them somewhere else during his attempts to get this working?

 

Yes, it has to be in the Downloads folder of whatever distro that's running, not in any sub-folders, I made this mistake the first time with VMware Player. There's sub-folders created in Downloads & Documents for much anything I need, only these needs to be in the main Downloads folder. 

 

After installing, these can be moved to wherever desired. 

 

Cat


ASUS Z97-PRO Gamer PC. EVGA GTX 1070 FTW + ACX 3.0 8GB GDDR5 GPU! 4K!  http://speccy.piriform.com/results/w3mBsNE6cJXW7on5sbNTFDc  (Updated 10/07/2017)

ASRock Z97 Extreme6, EVGA GTX 1060 FTW + ACX 3.0 6GB GDDR5 GPU! http://speccy.piriform.com/results/tbdS4YKHBvWROeKETAMBRKk  (Updated 04/12/2017))                                                                       

Dell XPS 8700, Revived from the Dead, EVGA GTX 1060 SSC + ACX 3.0 6GB GDDR5 GPU! http://speccy.piriform.com/results/KrNXc5IZ6HmJvrrLVSZbGzi  (Updated 05/17/2017)

ASUS 970 PRO Gaming AURA, with a cool running AMD Phenom x4 965 CPU! http://speccy.piriform.com/results/c0aVnEnmxFmqX5Pf1nOhCKf   (Updated 10/10/2017)

Dell Dimension 2400 Rebuild, Done the Right Way! http://speccy.piriform.com/results/MLv5xbYuI2vsLqvtS4PaDGB  (Updated 10/20/2017)


#13 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 22 June 2015 - 11:25 PM

@paul88ks

 

I see in your picture, you posted in the Mythbusting thread, that you've extracted the archive to "/home/paul88ks/tmp". So for step 3
 

use:

cd /home/paul88ks/tmp/sophos-av
sudo ./install.sh

EDIT: I've noticed you say you're getting command not found errors. I've changed the above so it should help. If you're still having troubles run chmod first to make sure the file has execution permissions. To do so use:

 

sudo chmod u+x /home/paul88ks/tmp/sophos-av/install.sh

Edited by hollowface, 22 June 2015 - 11:36 PM.


#14 paul88ks

paul88ks

  • Members
  • 1,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dallas,Texas
  • Local time:11:32 AM

Posted 22 June 2015 - 11:42 PM

OK- Thanks hollowface- I got the program to install,but by the time I have scrolled down through the EULA where it asks me to accept the license. it says installation aborted. I am making progress- but not there yet! SHould I use the page up page down buttons?



#15 Guest_hollowface_*

Guest_hollowface_*

  • Guests
  • OFFLINE
  •  

Posted 22 June 2015 - 11:45 PM

Enter is used to scroll, or you can use the space-bar to safely skip to the end of the EULA.






3 user(s) are reading this topic

0 members, 3 guests, 0 anonymous users