Sophos Antivirus

Does anyone use Sophos anti virus for linux for virus scanning in pro edition? Seems like the kaspersky version described in the manual isn’t free, at least the latest version is not!?

Thanks and best regards,
Jochen

I personally use this wrapper script:

#!/bin/bash
/opt/sophos-av/bin/savscan -nc -nb -ss --no-follow-symlinks -archive -eec $1 >> /seafile/logs/sophos.log
exit $?

My seafile.conf is configured like this:

[virus_scan]
scan_command = /path/to/sophos.sh
virus_code = 24
nonvirus_code = 0
scan_interval = 5
#scan_size_limit = (size limit for files to be scanned) in MB
scan_size_limit = 20
#scan_skip_ext = (a comma (',') separated list of file extensions to be ignored)
scan_skip_ext = .png, .PNG, .jpg, .JPG, .jpeg, .JPEG, .mp3, .mp4, .wav, .avi, .rmvb, .mkv
#(number of concurrent threads for scan, one thread for one file, default to 4)
threads = 2

But my experience is, it is super slow and never finishes. Not sure if also older revisions of files are being scanned. It scans around 25000 files per day here but there is always a scan running. Furthermore the results are not displayed in a really useful way (imho).

Hi Sven,

thank you very much for your answer and script!:slight_smile:

Is there a reason why you trust files bigger than 25MB and treat them as noninfected? Is it because of the seafile git structure?

From your exit code 24 I see that you are using extended exit codes? Shouldn’t you call savscan with option -eec in this case? What about exit codes 20 (infected object was desinfected) or 28 (virus in memory)? Otherwise you could just use the normal exit codes and 3 would stand for infected file?

What do the options -nc -nb and -ss do? Didn’t find them in sophos manual.

savscan scans the whole machine, not just the seafile-data folder, doesn’t it? How can seafile identify, which file in seafile is affected when a virus is found because savscan only sees the git block files I assume? Do you know how this is handled (not a sophos specific question though)?

You’re saying, that scanning is really slow. May I ask, what hardware you are using? My hardware is a HYSTOU FMP06 Fanless Mini PC with just a Celeron N3150 Quad Core and 8GB RAM, so I fear that results would be worse here…

Why do you start a scan every 5 mins? Does this make sense when a scan lasts that long and scanning is that slow?

According to your experience, would you say that virus scanning (with sophos) at seafile server side does make sense at all?

Thanks in advance and best regards,
Jochen

This command should only scan a specific file assigned by Seafile, as you can notice that there is a “$1” parameter at the end.

Seafile does incremental scan of files. In each run, it only scan files added or changed since the last scan.

It’s not worth the time in my opinion. I don’t want to scan the video files.

Did take them from their manual. Possibly I should check them again. Target was and is to minimize false positives.

No, that’s not what you want. If you just want to scan seafile user files disable it. If you want to scan your whole system and seafile files, exclude the seafile-data directory and configure Seafile virus scan.

Seafile passes the fiels one by one to sav or any other virus scanner.

Intel Xeon E3-1220L V2 @ 2.30GHz + 16 GB + Raid 6 with 4x3TB for the data and an SSD for the system.

I think it also heavily depends on the usage and amount of data.
My admin page says:

Libraries / Files
68 / 607698
Used Storage
733.9 GB / ZFS says 662 GiB

Target was to keep the time low between a file is being uploaded and scanned. Although that is not being reaching because scanning seams to be very slow it seems to work as espected, there are not more scans at a time than there should be.

In my opinion it currently is not worth very much. It is more like an experiment on my server.

What happens with files being updated multiple times or being renamed. E.g.:

Virus Scan
update file Z
update file Z
update file Z
Virus Scan -> will it only scan the newest version of file Z
file A
Virus Scan
rename file A to file B
Virus Scan -> does Seafile know, that B has been scanned?

Thank you Jonathan and Sven for your answers and explanation!

Have a look here. In Chapter 18 they mention the (extended) exit codes. So probably for our pupose, (normal) exit code 3 would be ok!? Otherwise you would have to call savscan with option --eec as far as I understand.

I have about 350GB of Seafile data but since it’s just for my family, usage isn’t that high and there are not that much changes per time so incremental scanning should be ok after the first initial run…

In the manual mentioned above, I can’t find the options -nc -nb and -ss. Here I found them:

-nc: no asking before desinfecting/deleting infected files
-nb: no bell on virus detection
-ss: verbosity of scan output, assuming ss means 'super silent'?

but I don’t know, what configurable: NO means!? Also I’m not sure whether -nb makes sense, since this is the default behaviour of savscan?
Why did you choose these?

Cheers,
Jochen

Yes.

Rename detection is not supported yet. So it’ll scan B again.

For me it looks like it could be a good idea to maintain a database containing sha256 (or better) hashes of the files, a date when the file has been scanned and what the result was. Having such a database one wouldn’t need to scan the same file twice and one could define actions e.g. the file with hash xyz is no virus and the file with hash xyzx is a virus and in the first case Seafile will not report a virus again and in the second case seafile is immediately going to delete the file (or at least move it in some system (quarantine) libary). With such a system the virusscan would be much more usefull in my opinion. It would also allow defining when a file should be scanned another time (e.g. when the last scan was more than x days / months ago)

scanning a file more than once is a feature. Remember with classic antivirus software there is a detection gap which is widening.

For example: Last week I received three “invoices” via email with attached .docx files. As I did not order anything, I did not recognize the sender addresses and the destination address was something I only use for “junk” it was clear that these were virus. I submitted them as samples to VirusTotal. Result: One sample was first submitted 15 minutes earlier and the detection rate was 2/57. Today the detection rate is at 25/57.

This is why I proposed a mechanism to allow it.

I think there are many things to keep in mind. And there are different targets in my opinion.
E.g.:

  • files being shared via link should be scanned with higher priority to stop malware distribution
  • it is not useful to scan the same file twice with the same signatures
  • there are certain file types that more likely contain malware

What I observe on my homeserver is that virus scanning takes forever. I did have a look at sophos logs a few days before and it scans 20k+ files a day, but scanning never finishes, there is always 1 core busy scanning a file. There are about 600k files on my server, so scanning them all would take one month, but the scanning did not finish after multiple months. This is why I get the impression, that all history is being scanned. That could be a feature but priority should be that the most recent version is being scanned within a few minutes after being uploaded.
What I also observe is that there are many false positives and there is no way to mark them as not being a virus (only action is “delete”). Thus the list of virus files gets longer and longer making it harder to find the real virus files.

A database with the scanned files could allow to rescan files when there are worker threads not having to do something. And it could do the most of it by first rescanning those files that most likely contain a virus.

In short: I agree that scanning the same file multiple times is a feature, but doing it “the dumb dumb” is a bad solution.

This has been my source: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/savl_9_cgeng.pdf
On page 45 the return codes are documented.

24 is “An item containing a virus is found and not disinfected”. Because I have not defined any actions (it would not make sense as only tmp files are being passed by Seafile) on virus found 24 is the virus found exit code.
You were right about the exit code. One needs to also pass -eec or use 3 for virus found. So, good catch! I’ve updated the code above. I also removed the size check because it got a Seafile feature since I setup the Virus scan.

Options:

-nc do not ask before desinfection or deletion (would hang forever, should never occur though)
-nb No alarm sound on virus found (default is true on my system)
-ss Only print erros and virus information (not default on my system)
--no-follow-symlinks as seafile puts files to tmp there won't be symlinks.
-archive scans inside archives
-eec use extended return codes

(/opt/sophos-av/bin/savscan --help)

Scanning takes about 4 to 5 seconds for small files (sophos only). That seems to be the issue because I often place source code in my libraries having thousands of files… possibly I should start excluding text files like txt, java, md, c, .gitignore and so on.
I’ve now started another try with the default of 4 threads.

Thanks for your answers. I’ll check that on my new system after I have moved all the data to the new seafile-server.

Just realized that in my installation ‘savscan’ is writable for the whole world. Could this really be true?

I’ve just checked it and on my system it’s a symlink. The real file is not world writable (check with ls -l it links to a file in the folder _, the link links to another link and the file is not world writable).

Hi,

I’ve uploaded the first batch of data to the new server (10GB and about 12.000 files). No huge amount of data but savscan ran with 2 threads for >2days now until I’ve decided to stop it! Maybe it’s because my scan intervall, I configured in seafile.conf (60 mins) was to short so that it started over and over, scanning the same files again? But that shouldn’t be the case, should it?
Or it’s because of my weak hardware (Celeron N3150 Quad Core)?
If it isn’t an error (misconfiguration or something similar) and the normal behaviour of Sophos AV then it’ll turn out that it’s completely useless for me in this case!
@shoeper did report nearly the same.

Cheers,
Jochen