An antivirus scanner for Linux servers with Windows clients
Heedful Helper
![© Lead Image © 3dalia, 123RF.com © Lead Image © 3dalia, 123RF.com](/var/linux_magazin/storage/images/issues/2015/178/sophos-anti-virus-for-linux/123rf_29351250_sherlock-holmes-computer_3dalia_resized.png/655074-1-eng-US/123RF_29351250_Sherlock-Holmes-Computer_3dalia_resized.png_medium.png)
© Lead Image © 3dalia, 123RF.com
The Sophos Anti-Virus for Linux free antivirus scanner works unobtrusively in the background and targets mainly server operators and users who exchange files with Windows computers.
Newcomers in particular wonder about the security of the still unfamiliar Linux operating system. Can you really do without an antivirus scanner on Linux, and if so, should you do so? Can you really bank online without an antivirus scanner? The answer has not changed in recent years: Linux itself does not need an antivirus scanner.
Antivirus scanners for Linux typically target server installations, looking for infected files and attachments on mail and file servers. As services, they thus run in the background. Sophos Anti-Virus (SAV) for Linux is in this group of scanners; the application comprises a service with a toolset for the command line. Don't expect visual feedback unless the Sophos scanner discovers something on your disk or you are attempting to store an infected, or purportedly infected, file.
Sophos Anti-Virus
SAV is available for free from the Sophos website [1] in exchange for your email address. The installation package, sav-linux-free-9.9.tgz
, weighs in at 423MB – antivirus programs are not exactly lightweight. To set up the application, unpack the archive and run the text-based installation routine as root:
$ sudo apt-get install linux-headers-amd64 build-essential $ tar xzf sav-linux-free-9.9.tgz $ sudo sophos-av/install.sh
The installation requires that you have the matching kernel headers and the most important build tools in place. DEB or RPM packages for a clean installation via your choice of package manager are not available at this time.
In the first step, the install wizard (Figure 1) tells you about the program. Pressing Enter takes you to the proprietary license; you can quit viewing the license by pressing Q, and accept by pressing Y. The installer then asks you whether you want the program to look for malware in the background, informs you of the file locations, and asks whether you really do want to use the "Free" version (i.e., do without support). You normally want to press Enter to keep the defaults; only in the case of the support question do you need to explicitly press F for the free version.
Finally, the installation routine, if needed, generates a kernel module to match your system's kernel, acting as the interface between the antivirus scanner and the system. Under normal circumstances, the installation will then complete without any trouble; in our lab with Ubuntu 14.04, Ubuntu 14.10, and Debian 7, I did not experience any issues. Although Sophos works on Debian 8, the service conflicts with systemd and cannot be controlled using the new init system.
Antivirus Scanner
Immediately after installing SAV, the antivirus scanner starts running in the background. Using either the savdstatus
command from the Sophos archive or standard init commands, you can check the status. The init commands also let you start and stop the scanner daemon as needed – Listing 1 shows the matching commands for an Ubuntu system.
Listing 1
SAV Commands
To ensure that SAV really works, copy the Eicar test string (a small MS-DOS executable that can be expressed with printable characters) on the Eicar.org website [2] and write the sequence to a file. Sophos should then detect what is ostensibly malware, keep you from opening the file, and point out that it has found an "infected" file (Figure 2). In a virtual terminal, Sophos shows a text-based alarm on opening the file. The antivirus tool also prevents access using network protocols like SSH, but as a user, you have no idea why the call did not work (Figure 3).
![](/var/linux_magazin/storage/images/issues/2015/178/sophos-anti-virus-for-linux/figure-3/655083-1-eng-US/Figure-3_large.png)
SAV does not come with a GUI. If you enabled the on-access scanner, the service works unobtrusively in the background. If you want to scan individual files or folders, you can open a terminal window and run the savscan
command (Listing 2, first line); you also need to turn to the terminal to update the signature database (Listing 2, last line). If auto-update is enabled, Sophos keeps the virus signatures up-to-date without intervention.
Listing 2
Manual File Scans
For manually triggered antivirus scans, you can pass in either a filename or directory name; for a directory, Sophos recursively searches for malware-infected programs and files. If you add the -di
option to the call, the scanner then attempts to disinfect the files; -remove
tells the program to delete the files instead. Detailed help for these commands is available from the program's man page (man savscan
).
If you want a graphical user interface, Sophos offers an optional web front end, and you can set it up using the test-based savsetup
configuration tool. To enable the web server, call the tool (Listing 3) and select item 2 from the menu to configure the SAV GUI. Once in the GUI, you can define a port and assign access credentials; again, your best option is to accept the defaults by pressing Enter.
Listing 3
Setting Up the GUI
After completing the configuration, you can access the GUI on http://localhost:8081 or from any other computer on http://<host IP>:<port>. The front end has a Home tab with an up-to-date overview (Figure 4).
Control lets you start and stop the on-access scanner as needed. Scanning lets you define whether Sophos should also search in archives and whether the antivirus scanner should disinfect or simply delete infected files. The other tabs let you exclude file types or paths from the search, define alerts, or view the antivirus scanner's logs.
Upgrade and Documentation
You can use Sophos Anti-Virus for Linux without charge both privately and for commercial purposes; for a surcharge you can upgrade to a "Premium" version with support and centralized management. For more information, visit the vendor's website or the forum set up for the Linux version [3]. The forum and FAQs [4] have very little content at the moment. The PDF documentation for installing [5] and configuring [6] the program provides you with far more help.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.