Install Sophos Antivirus

Questions and answers about how to do stuff
nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Install Sophos Antivirus

Post by nicola.piazzi » 30 Nov 2015 17:15

In addition of clamwin you can install also Sophos free and detection have a great ehnancement :

STEPS :

1) Make executable /tmp file system :
vi /etc/fstab
Duplicate, asterisk and change /tmp line to temporarly remove noexec option like below
#/dev/mapper/vg_00-lv_tmp /tmp ext4 nosuid,noexec,noatime 1 2
/dev/mapper/vg_00-lv_tmp /tmp ext4 noatime 1 2


2) Download sophos and put in your /root dir
You can use this link
https://secure2.sophos.com/it-it/produc ... nload.aspx

3) Install
Using the guide that you can download in same page you can install in few steps
Ensure to not turn on the system scanner

4) Add in MailScanner
vi /etc/MailScanner/MailScanner.conf
Line :
Virus Scanners = clamd sophos

5)
Restart and enjoy

User avatar
shawniverson
Posts: 3087
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Install Sophos Antivirus

Post by shawniverson » 05 Dec 2015 10:43

Recommend setting no exec bit back on /tmp, just fyi ;)

:text-bravo:
Version eFa 4.0.2 now available!

JeffAudet
Posts: 7
Joined: 22 Dec 2015 23:03

Re: Install Sophos Antivirus

Post by JeffAudet » 23 Dec 2015 01:38

Hi,

I installed Sophos in addition of existing clamAV with your instruction and all work perfectly!

A weird thing since installation, I receive a mail message like this whenever an infected email is detected by Sophos:


[SAV-LINUX] Threat detected during on-demand scan on server.domain.com
A threat was detected during an on-demand scan. Details follow:
3 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/8730/CD8E410059D.AF62D/nmsg-8730-1.html is infected with W32/Chir-B.


What I need to do to disable this notification?

Thanks!

Jeff

JeffAudet
Posts: 7
Joined: 22 Dec 2015 23:03

Re: Install Sophos Antivirus

Post by JeffAudet » 23 Dec 2015 02:02

I think I found the solution!

http://tw.sophos.com/sophos/docs/eng/ma ... _umeng.pdf

Turn on-demand email alerts off
By default, Sophos Anti-Virus emails the summary of an on-demand scan if, and only if, the scan
detects viruses.

To turn off the emailing of an on-demand scan summary if viruses are detected, type:
/opt/sophos-av/bin/savconfig set EmailDemandSummaryIfThreat disabled


So, wait and see!

henk
Posts: 457
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Install Sophos Antivirus

Post by henk » 22 Mar 2016 10:54

when installing Sophos the easy way to make /tmp executable: ( without fstab changes)

mount -o remount exec /tmp

and to restore the non exec situation :

mount -o remount /tmp

akl
Posts: 20
Joined: 04 Mar 2016 18:26

Re: Install Sophos Antivirus

Post by akl » 30 Mar 2016 10:10

Hi,

what is that "make a filesystem executable" all about?
I never did that before for anything?

Thx
akl

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi » 01 Apr 2016 13:14

it is a way to protect tmp from execution

d.gerdes
Posts: 1
Joined: 07 Apr 2016 12:25

Re: Install Sophos Antivirus

Post by d.gerdes » 07 Apr 2016 12:55

Hi,

thank you for the instructions, but we run into trouble after installing sophos as mention above.
After efa restart we got an error in line 565 of /etc/unbound/unbound.conf and the service didn't start. Therefore no more mails arrived to our mailserver.
So we went back to our latest VMware snapshot (before sophos install) and everything works well again.

Any suggestions.

Thanx!

Daniel

User avatar
pdwalker
Posts: 1255
Joined: 18 Mar 2015 09:16

Re: Install Sophos Antivirus

Post by pdwalker » 08 Apr 2016 03:32

the obvious question is, what was wrong on line 565 of your configuration file?

without knowing what was in the file, it'd be very difficult for a third party to diagnose it.

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi » 08 Apr 2016 07:26

I Installed Sophos in 3.0.0.7 and upgraded in 3.0.0.8
Now i reinstalled in a new fresh 3.0.0.9
I have no problem

I suggest so :

Install a fresh 3.0.0.9 that is perfect version, it have the most stable Centos version
3.0.0.9 have TXREP, with TXREP I have no more false positive without affecting spam detection

With a fresh install you have a perfect functional Clam Antivirus with unofficial extension

Then you must install the only antivirus that works without system modification

Fprot6
Sophos

When you install it you must be careful and specify to not activate automatic system scan of filesystem because you need to use it only to be invoked by MailScanner to scan incoming email files
You also need to modify MailScanner line to invoke these 3 products instead of clam only.

Here my virus detection statistics :

Date Total Sophos Only Clam Only FProt Only
08/04/2016 78 72 22 56 6 0 0
07/04/2016 29 17 17 12 12 0 0
06/04/2016 46 27 27 19 19 0 0
05/04/2016 20 5 5 15 15 0 0
04/04/2016 6 5 5 1 1 0 0
03/04/2016 4 2 2 2 2 0 0
02/04/2016 20 15 15 5 5 0 0
01/04/2016 16 14 14 2 2 0 0
31/03/2016 7 3 3 4 4 0 0
30/03/2016 15 11 6 4 4 5 0
29/03/2016 285 285 167 0 0 118 0


For example 08/04 i found 78 incomingi viruses, Sophos detected 72, 22 was detected by sophos only, Clam detected 56 and 6 only by clam, fprot 0
So if you want you can not install Fprot, but i suggest to install sophos, as you can see

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii » 11 May 2016 09:32

Any specific instructions on how to install and where to find Fprot6?

###edit###
seems older and f-prot.com doesn't have a download link. I guess I'll skip it :-)

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi » 11 May 2016 12:25

Sometimes also Fpprot catch some virus
Updates are regular, installation is simple and sure, so I use it
Cattura.PNG
Cattura.PNG (45.48 KiB) Viewed 13531 times

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii » 11 May 2016 12:45

Where did you get the free version from?
All 3 versions I can find are commercial:
http://www.cyren.com/f-prot-antivirus-f ... rvers.html
http://www.cyren.com/f-prot-antivirus-f ... tions.html
http://www.cyren.com/f-prot-antivirus-f ... rvers.html

or are you using a commercial one? If that is the case, please excuse my blonde moment.


ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii » 11 May 2016 12:51

Thank you! Weirdly enough it is not lsited on the overview page for home users: http://www.f-prot.com/download/home_user/

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii » 11 May 2016 12:55

I think I am going to sit this one out:

Code: Select all

Found an existing license key in /root/f-prot/license.key, updating antivir.def ...



Unable to update `antvir.def' with the provided license key.
The error message above should explain why.

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi » 11 May 2016 12:56

in first step you must mane /tmp executable fron /etc/fstab

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii » 11 May 2016 12:59

thanks but that didn't help with the license problem I posted above

###edit###
where did you place fprot? I put it into root while installing but it seems it needs a "permanent" place like /opt?

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi » 11 May 2016 13:07

at first time remove noexec option from /tmp in /etc/fstab and reboot
(at the end replace it)

download pachage, unpack and put under /opt

and do install-f-prot.pl



insert entry in MailScanner configuration to use it

under /opt/f-prot there is license.key
i dont remember how i have it but i think that is retrieved during install

dbrunt
Posts: 64
Joined: 28 Nov 2015 00:09

Re: Install Sophos Antivirus

Post by dbrunt » 12 Oct 2016 19:27

sav-linux installed and working on 3.0.0.8.
/tmp did not have enough space so created /install and put the download and the extraction in there. After installation, rm -rf /install

mmcnally
Posts: 14
Joined: 04 Sep 2016 00:51

Re: Install Sophos Antivirus

Post by mmcnally » 13 Oct 2016 01:43

Thanks for the great information!!!

Mark

nicola.piazzi
Posts: 286
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi » 13 Oct 2016 07:30

The first thing that I do when install a new efa box is enlarge space

User avatar
pdwalker
Posts: 1255
Joined: 18 Mar 2015 09:16

Re: Install Sophos Antivirus

Post by pdwalker » 05 May 2017 11:29

:clap:

Very useful information.

User avatar
pdwalker
Posts: 1255
Joined: 18 Mar 2015 09:16

Re: Install Sophos Antivirus

Post by pdwalker » 25 Sep 2017 06:12

Here's a possible gotcha.

I receive a lot of messages with Chinese language filenames. Sophos AV has trouble with these filenames and calls the attachments "viruses" even though it is not.

Basically, if Sophos cannot access the filename, it gives up and errs on the side of caution. I think I'll have to disable Sophos because of this as I cannot afford to check every day to find out what legitimate files Sophos is blocking.

Example:
Sophos: Could not check ./00D30180490.AF1A6/�永-天����港IPO��约�书 (corrupt)
Sophos: Could not check ./00D30180490.AF1A6/�永-天����港IPO��约�书 (corrupt)

The actual filenames in the queue directory are:
-rw-rw---- 1 postfix mtagroup 375411 Aug 29 17:57 %D6%D0%BD%E9%CE%AF%CD%D0%D0%AD%D2%E920.rar
-rw-rw---- 1 postfix mtagroup 518325 Aug 29 17:57 message
-rw-rw---- 1 postfix mtagroup 236594 Aug 29 17:57 安永-天立教育香港IPO业务约定书
which are well formatted UTF8 filenames.

ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii » 30 May 2018 06:51

I've never received any attachments with a completely foreign locale, could this be made to work if you install the correct locales on the EFA system?

Post Reply