As I was going through the lynis suggestions, I realized that I should install an anti-virus solution on my machine. After reading a couple of sites:
- AV-Test Lab tests 16 Linux antivirus products against Windows and Linux malware
- The 7 Best Free Linux Anti-Virus Programs
I decided to try out sophos. I have used clamav in the past but apparently now it’s detection rate is pretty low:
The instructions are covered in Installing the standalone version of SAV for Linux/UNIX and also in the Sophos Anti-Virus for Linux startup guide. I downloaded the archive (the How to Install Sophos Anti-Virus (Free Edition) on CentOS 7 / RHEL 7 page has good screenshots of the process) and then I extracted the archive:
<> tar xzf sav-linux-free-9.tgz
Now let’s do the install:
<> cd sophos-av <> sudo ./install.sh Sophos Anti-Virus ================= Copyright (c) 1989-2016 Sophos Limited. All rights reserved. Welcome to the Sophos Anti-Virus installer. Sophos Anti-Virus contains an on- access scanner, an on-demand command-line scanner, the Sophos Anti-Virus daemon, and the Sophos Anti-Virus GUI. On-access scanner Scans files as they are accessed, and grants access to only those that are threat-free. On-demand scanner Scans the computer, or parts of the computer, immediately. Sophos Anti-Virus daemon Background process that provides control, logging, and email alerting for Sophos Anti-Virus. Sophos Anti-Virus GUI User interface accessed through a web browser. Press <return> to display Licence. Then press <spc> to scroll forward. Please read the following legally binding License Agreement between Sophos and Do you accept the licence? Yes(Y)/No(N) [N] > Y Where do you want to install Sophos Anti-Virus? [/opt/sophos-av] > Do you want to enable on-access scanning? Yes(Y)/No(N) [Y] > Sophos recommends that you configure Sophos Anti-Virus to auto-update. It can update either from Sophos directly (requiring username/password details) or from your own server (directory or website (possibly requiring username/password)). Which type of auto-updating do you want? From Sophos(s)/From own server(o)/None(n) [s] > s Updating directly from Sophos. Do you wish to install the Free (f) or Supported (s) version of SAV for Linux? [s] > f The Free version of Sophos Anti-Virus for Linux comes with no support. Forums are available for our free tools at http://openforum.sophos.com/ Do you need a proxy to access Sophos updates? Yes(Y)/No(N) [N] > n Fetching free update credentials. Installing Sophos Anti-Virus.... Selecting appropriate kernel support... When Sophos Anti-Virus starts, it updates itself to try to find a Sophos kernel interface module update. This might cause a significant delay. Sophos Anti-Virus starts after installation. Installation completed. Your computer is now protected by Sophos Anti-Virus.
Also as an FYI, it looks likes the UI is no longer available for sophos as per SAV Linux 9.11.0 GUI functionality no longer available.
Compiling the Talpa Module
Initially the talpa module failed to compile:
[root@m2 kernels]# tail -11 /opt/sophos-av/log/talpaselect.log checking for linux/version.h... configure: error: cannot proceed without the required header file Traceback (most recent call last): File "talpa_select.py", line 2176, in _action File "talpa_select.py", line 1074, in load File "talpa_select.py", line 841, in select File "talpa_select.py", line 1696, in select File "talpa_select.py", line 1780, in build File "talpa_select.py", line 1910, in __try_build File "talpa_select.py", line 1769, in checkConfigureErrors SelectException: exc-configure-failed-no-kernel-headers
I was missing the kernel source, so I installed that:
<> sudo yum install kernel-devel
Re-running the compile worked out:
[root@m2 ~]# /opt/sophos-av/engine/talpa_select select [Talpa-select] Copyright (c) 1989-2016 Sophos Limited. All rights reserved. Sat Dec 24 17:42:16 2016 GMT Linux distribution: [centos] Product: [CentOS Linux release 7.3.1611 (Core) ] Kernel: [3.10.0-514.2.2.el7.x86_64] Multiprocessor support enabled. Searching for source pack... Searching for suitable binary pack... No suitable binary pack available. Preparing for build... Extracting sources... Configuring build of version 1.21.5... Building... Installing binaries... Creating local binary pack...
And now let’s load the module:
[root@m2 sophos-av]# /opt/sophos-av/engine/talpa_select load [Talpa-select] Copyright (c) 1989-2016 Sophos Limited. All rights reserved. Sat Dec 24 17:46:05 2016 GMT Linux distribution: [centos] Product: [CentOS Linux release 7.3.1611 (Core) ] Kernel: [3.10.0-514.2.2.el7.x86_64] Multiprocessor support enabled. Searching for source pack... Searching for suitable binary pack... Binary pack was created locally. Found suitable binary pack. Using: /opt/sophos-av/talpa/compiled/talpa-binpack-centos-x86_64-3.10.0-514.2.2.el7.x86_64-1smptuedec6230641utc2016.tar.gz Loading Talpa kernel modules version 1.21.5...
And to confirm it’s loaded:
[root@m2 sophos-av]# lsmod | grep tal talpa_vfshook 39969 0 talpa_pedconnector 12509 0 talpa_pedevice 13563 1 talpa_pedconnector talpa_vcdevice 13129 0 talpa_core 91941 3 talpa_vfshook,talpa_vcdevice talpa_linux 34583 4 talpa_vfshook,talpa_vcdevice,talpa_core talpa_syscallhook 20252 1 talpa_vfshook
Manually Updating Sophos
The update is configured to run every 60 minutes, but we can do one manually:
[root@m2 etc]# /opt/sophos-av/bin/savupdate Updating from versions - SAV: 9.12.3, Engine: 3.65.2, Data: 5.30 Updating Sophos Anti-Virus.... Updating Talpa Binary Packs Updating SAVScan on-demand scanner Updating Virus Engine and Data Updating Talpa Kernel Support Updating Manifest Selecting appropriate kernel support... Update completed. Updated to versions - SAV: 9.12.3, Engine: 3.65.2, Data: 5.34 Successfully updated Sophos Anti-Virus from sdds:SOPHOS
For good measure, let’s restart the service after the update:
<> sudo systemctl restart sav-protect.service
I also double checked the services were enabled:
[root@m2 ~]# /opt/sophos-av/bin/savdstatus Sophos Anti-Virus is active and on-access scanning is running [root@m2 ~]# /opt/sophos-av/bin/savconfig query EnableOnStart true [root@m2 ~]# /opt/sophos-av/bin/savconfig query LiveProtection enabled
There are also a couple of services that are disabled (and I think that is okay):
<> systemctl list-unit-files| grep sav sav-protect.service enabled sav-rms.service disabled sav-update.service disabled
Configuring Sophos Settings
You can check out the basic settings by running the following:
[root@m2 ~]# /opt/sophos-av/bin/savconfig query Email: root@localhost EmailDemandSummaryIfThreat: true EmailLanguage: English EmailNotifier: true EmailServer: localhost:25 EnableOnStart: true ExclusionEncodings: UTF-8 EUC-JP ISO-8859-1 LogMaxSizeMB: 100 NotifyOnUpdate: true PrimaryUpdateSourcePath: sophos: PrimaryUpdateUsername: ******** PrimaryUpdatePassword: ******** UploadSamples: false SendErrorEmail: true SendThreatEmail: true UINotifier: true UIpopupNotification: true UIttyNotification: true UpdatePeriodMinutes: 1440 NamedScans: weekly LiveProtection: enabled ScanArchives: mixed
To get a full list you can run the following:
[root@m2 ~]# /opt/sophos-av/bin/savconfig --advanced query
I enabled the option to be notified on an update:
[root@m2 ~]# /opt/sophos-av/bin/savconfig set NotifyOnUpdate true [root@m2 ~]# /opt/sophos-av/bin/savconfig query NotifyOnUpdate true
By default the update period of 60 minutes so I decided to changed that to once a day:
[root@m2 ~]# /opt/sophos-av/bin/savconfig set UpdatePeriodMinutes 1440
Else you will see this in the logs all the time (and if you enabled the option to be emailed on an update, you will get an email every 60 minutes):
Dec 24 18:51:39 m2.kar.int systemd: Started "Sophos Anti-Virus update". Dec 24 18:51:39 m2.kar.int savd: update.updated: Successfully updated Sophos Anti-Virus from sdds:SOPHOS Dec 24 18:51:39 m2.kar.int savd: update.updated: Updated to versions - SAV: 9.12.3, Engine: 3.65.2, Data: 5.34 Dec 24 18:51:39 m2.kar.int savd: update.updated: Updating Sophos Anti-Virus.... Updating SAVScan on-demand scanner Updating Virus Engine and Data Updating Manifest Update completed. Dec 24 18:51:39 m2.kar.int savd: update.updated: Updating from versions - SAV: 9.12.3, Engine: 3.65.2, Data: 5.34 Dec 24 18:51:17 m2.kar.int systemd: Starting "Sophos Anti-Virus update"...
Running a quick scan manually
You can run a quick scan manually to see how clean your system is:
> sudo /opt/sophos-av/bin/savscan / SAVScan virus detection utility Version 5.27.0 [Linux/AMD64] Virus data version 5.34, November 2016 Includes detection for 12414465 viruses, Trojans and worms Copyright (c) 1989-2016 Sophos Limited. All rights reserved. System time 12:08:18 PM, System date 24 December 2016 IDE directory is: /opt/sophos-av/lib/sav Using IDE file fare-boh.ide Using IDE file dride-wf.ide Using IDE file rans-dwk.ide Using IDE file fare-bol.ide Using IDE file chisb-lh.ide Using IDE file zeus-k.ide ... ... Using IDE file docd-gja.ide Using IDE file fare-bwv.ide Using IDE file locky-yo.ide Using IDE file mdro-hrr.ide Using IDE file locky-yp.ide Using IDE file cerbe-xy.ide Quick Scanning Could not open /etc/alternatives/policytool Could not open /usr/bin/policytool Could not open /usr/lib/modules/3.10.0-327.28.3.el7.x86_64/source Could not open /usr/lib/modules/3.10.0-327.36.1.el7.x86_64/source Could not open /usr/lib/modules/3.10.0-327.36.2.el7.x86_64/source Could not open /usr/lib/modules/3.10.0-327.36.3.el7.x86_64/source 42781 files scanned in 1 minute and 25 seconds. 6 errors were encountered. No viruses were discovered. End of Scan.
Setup a schedule to scan weekly
Thi is covered in Sophos Anti-Virus for Linux configuration guide and Sophos Anti-Virus v9.x For Unix/Linux: Scheduled scan options. First create a folder for sheduled jobs:
[root@m2 ~]# mkdir /opt/sophos-av/etc/jobs
Then copy the example to get started:
<> sudo cp /opt/sophos-av/doc/namedscan.example.en /opt/sophos-av/etc/jobs/weekly
Modify the job to your needs:
<> sudo vi /opt/sophos-av/etc/jobs/weekly
And lastly add it to the config:
<> sudo /opt/sophos-av/bin/savconfig add NamedScans weekly /opt/sophos-av/etc/jobs/weekly
If you need to update it, first update the file (
vi /opt/sophos-av/etc/jobs/weekly) and then update the config
<> sudo /opt/sophos-av/bin/savconfig update NamedScans weekly /opt/sophos-av/etc/jobs/weekly
To always get a summary of the scheduled savscan, you can set the following option (as per the Sophos Anti-Virus for Linux/Unix v9: Complete list of email alert settings:
<> sudo /opt/sophos-av/bin/savconfig set EmailDemandSummaryAlways true
That should be it, enjoy sophos.