Install Sophos Antivirus

Questions and answers about how to do stuff
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Install Sophos Antivirus

Post by nicola.piazzi »

In addition of clamwin you can install also Sophos free and detection have a great ehnancement :

STEPS :

1) Make executable /tmp file system :
vi /etc/fstab
Duplicate, asterisk and change /tmp line to temporarly remove noexec option like below
#/dev/mapper/vg_00-lv_tmp /tmp ext4 nosuid,noexec,noatime 1 2
/dev/mapper/vg_00-lv_tmp /tmp ext4 noatime 1 2


2) Download sophos and put in your /root dir
You can use this link
https://secure2.sophos.com/it-it/produc ... nload.aspx

3) Install
Using the guide that you can download in same page you can install in few steps
Ensure to not turn on the system scanner

4) Add in MailScanner
vi /etc/MailScanner/MailScanner.conf
Line :
Virus Scanners = clamd sophos

5)
Restart and enjoy
User avatar
shawniverson
Posts: 3644
Joined: 13 Jan 2014 23:30
Location: Indianapolis, Indiana USA
Contact:

Re: Install Sophos Antivirus

Post by shawniverson »

Recommend setting no exec bit back on /tmp, just fyi ;)

:text-bravo:
JeffAudet
Posts: 7
Joined: 22 Dec 2015 23:03

Re: Install Sophos Antivirus

Post by JeffAudet »

Hi,

I installed Sophos in addition of existing clamAV with your instruction and all work perfectly!

A weird thing since installation, I receive a mail message like this whenever an infected email is detected by Sophos:


[SAV-LINUX] Threat detected during on-demand scan on server.domain.com
A threat was detected during an on-demand scan. Details follow:
3 files scanned.
Number of infections detected: 1
Number of infected files detected: 1
/var/spool/MailScanner/incoming/8730/CD8E410059D.AF62D/nmsg-8730-1.html is infected with W32/Chir-B.


What I need to do to disable this notification?

Thanks!

Jeff
JeffAudet
Posts: 7
Joined: 22 Dec 2015 23:03

Re: Install Sophos Antivirus

Post by JeffAudet »

I think I found the solution!

http://tw.sophos.com/sophos/docs/eng/ma ... _umeng.pdf

Turn on-demand email alerts off
By default, Sophos Anti-Virus emails the summary of an on-demand scan if, and only if, the scan
detects viruses.

To turn off the emailing of an on-demand scan summary if viruses are detected, type:
/opt/sophos-av/bin/savconfig set EmailDemandSummaryIfThreat disabled


So, wait and see!
henk
Posts: 517
Joined: 14 Dec 2015 22:16
Location: Netherlands
Contact:

Re: Install Sophos Antivirus

Post by henk »

when installing Sophos the easy way to make /tmp executable: ( without fstab changes)

mount -o remount exec /tmp

and to restore the non exec situation :

mount -o remount /tmp
“We are stuck with technology when what we really want is just stuff that works.” -Douglas Adams
akl
Posts: 20
Joined: 04 Mar 2016 18:26

Re: Install Sophos Antivirus

Post by akl »

Hi,

what is that "make a filesystem executable" all about?
I never did that before for anything?

Thx
akl
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi »

it is a way to protect tmp from execution
d.gerdes
Posts: 1
Joined: 07 Apr 2016 12:25

Re: Install Sophos Antivirus

Post by d.gerdes »

Hi,

thank you for the instructions, but we run into trouble after installing sophos as mention above.
After efa restart we got an error in line 565 of /etc/unbound/unbound.conf and the service didn't start. Therefore no more mails arrived to our mailserver.
So we went back to our latest VMware snapshot (before sophos install) and everything works well again.

Any suggestions.

Thanx!

Daniel
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Install Sophos Antivirus

Post by pdwalker »

the obvious question is, what was wrong on line 565 of your configuration file?

without knowing what was in the file, it'd be very difficult for a third party to diagnose it.
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi »

I Installed Sophos in 3.0.0.7 and upgraded in 3.0.0.8
Now i reinstalled in a new fresh 3.0.0.9
I have no problem

I suggest so :

Install a fresh 3.0.0.9 that is perfect version, it have the most stable Centos version
3.0.0.9 have TXREP, with TXREP I have no more false positive without affecting spam detection

With a fresh install you have a perfect functional Clam Antivirus with unofficial extension

Then you must install the only antivirus that works without system modification

Fprot6
Sophos

When you install it you must be careful and specify to not activate automatic system scan of filesystem because you need to use it only to be invoked by MailScanner to scan incoming email files
You also need to modify MailScanner line to invoke these 3 products instead of clam only.

Here my virus detection statistics :

Date Total Sophos Only Clam Only FProt Only
08/04/2016 78 72 22 56 6 0 0
07/04/2016 29 17 17 12 12 0 0
06/04/2016 46 27 27 19 19 0 0
05/04/2016 20 5 5 15 15 0 0
04/04/2016 6 5 5 1 1 0 0
03/04/2016 4 2 2 2 2 0 0
02/04/2016 20 15 15 5 5 0 0
01/04/2016 16 14 14 2 2 0 0
31/03/2016 7 3 3 4 4 0 0
30/03/2016 15 11 6 4 4 5 0
29/03/2016 285 285 167 0 0 118 0


For example 08/04 i found 78 incomingi viruses, Sophos detected 72, 22 was detected by sophos only, Clam detected 56 and 6 only by clam, fprot 0
So if you want you can not install Fprot, but i suggest to install sophos, as you can see
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii »

Any specific instructions on how to install and where to find Fprot6?

###edit###
seems older and f-prot.com doesn't have a download link. I guess I'll skip it :-)
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi »

Sometimes also Fpprot catch some virus
Updates are regular, installation is simple and sure, so I use it
Cattura.PNG
Cattura.PNG (45.48 KiB) Viewed 22761 times
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii »

Where did you get the free version from?
All 3 versions I can find are commercial:
http://www.cyren.com/f-prot-antivirus-f ... rvers.html
http://www.cyren.com/f-prot-antivirus-f ... tions.html
http://www.cyren.com/f-prot-antivirus-f ... rvers.html

or are you using a commercial one? If that is the case, please excuse my blonde moment.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii »

Thank you! Weirdly enough it is not lsited on the overview page for home users: http://www.f-prot.com/download/home_user/
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii »

I think I am going to sit this one out:

Code: Select all

Found an existing license key in /root/f-prot/license.key, updating antivir.def ...



Unable to update `antvir.def' with the provided license key.
The error message above should explain why.
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi »

in first step you must mane /tmp executable fron /etc/fstab
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii »

thanks but that didn't help with the license problem I posted above

###edit###
where did you place fprot? I put it into root while installing but it seems it needs a "permanent" place like /opt?
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi »

at first time remove noexec option from /tmp in /etc/fstab and reboot
(at the end replace it)

download pachage, unpack and put under /opt

and do install-f-prot.pl



insert entry in MailScanner configuration to use it

under /opt/f-prot there is license.key
i dont remember how i have it but i think that is retrieved during install
dbrunt
Posts: 64
Joined: 28 Nov 2015 00:09

Re: Install Sophos Antivirus

Post by dbrunt »

sav-linux installed and working on 3.0.0.8.
/tmp did not have enough space so created /install and put the download and the extraction in there. After installation, rm -rf /install
mmcnally
Posts: 14
Joined: 04 Sep 2016 00:51

Re: Install Sophos Antivirus

Post by mmcnally »

Thanks for the great information!!!

Mark
nicola.piazzi
Posts: 388
Joined: 23 Apr 2015 09:45

Re: Install Sophos Antivirus

Post by nicola.piazzi »

The first thing that I do when install a new efa box is enlarge space
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Install Sophos Antivirus

Post by pdwalker »

:clap:

Very useful information.
User avatar
pdwalker
Posts: 1553
Joined: 18 Mar 2015 09:16

Re: Install Sophos Antivirus

Post by pdwalker »

Here's a possible gotcha.

I receive a lot of messages with Chinese language filenames. Sophos AV has trouble with these filenames and calls the attachments "viruses" even though it is not.

Basically, if Sophos cannot access the filename, it gives up and errs on the side of caution. I think I'll have to disable Sophos because of this as I cannot afford to check every day to find out what legitimate files Sophos is blocking.

Example:
Sophos: Could not check ./00D30180490.AF1A6/�永-天����港IPO��约�书 (corrupt)
Sophos: Could not check ./00D30180490.AF1A6/�永-天����港IPO��约�书 (corrupt)

The actual filenames in the queue directory are:
-rw-rw---- 1 postfix mtagroup 375411 Aug 29 17:57 %D6%D0%BD%E9%CE%AF%CD%D0%D0%AD%D2%E920.rar
-rw-rw---- 1 postfix mtagroup 518325 Aug 29 17:57 message
-rw-rw---- 1 postfix mtagroup 236594 Aug 29 17:57 安永-天立教育香港IPO业务约定书
which are well formatted UTF8 filenames.
ovizii
Posts: 463
Joined: 11 May 2016 08:08

Re: Install Sophos Antivirus

Post by ovizii »

I've never received any attachments with a completely foreign locale, could this be made to work if you install the correct locales on the EFA system?
Post Reply