Kolab 3.4 on CentOS 6.6/7 with Sophos Anti-Virus and SAVDI how-to
Soliva Andrea
soliva at comcept.ch
Thu May 12 12:56:11 CEST 2016
Hi all
probably interessting for somebody which would like to have a alternativ
or an addtional Antivirus Scanner for ClamAV which I use also with
SaneSecurity! There is no comercial background why I'm sending this
how-to. Instead this how-to brings with this Sophos Anti-Virus
installation as "savdi" a great possibility to scale as high-performance
because the installation can be done on a seperate remote server. The
installation is small as straight a head as can be used for any
"amavisd" Installation!
Let's start to show you how to get for a local installation which can be
easy also ported to a remote installation.
This how-to is based on CentOS 6.6 but from my point of view also for
CentOS 7
==== Installation of "Sophos Anti-Virus 9" based product ====
Prerequisit for this installation of "Sophos Anti-Virus 9" is regular
license of:
Sophos Server Protection (Vendor SKU WLVA1CSAA)
This license includes actually a installation for Windows, Linux or
vShield. This license is for one server. A license for one server costs
for 12 month:
CHF 77.00 exkl. MwSt.
This means also: The license must be renewed based on a subscription. If
the subscription is not renewed the product does not care about but you
do not receive anymore
virus definition database upgrades. A subscription for 12 month costs:
CHF 77.00 exkl. MwSt.
If you buy a license for 3 year Sophos charges you only 2 years which
means license for 3 years costs you:
CHF 154.00 exkl. MwSt.
Actually the installation of "Sophos Anti-Virus 9" is very easy as can
be done with a installation script based on ASCII-Interface. As
mentioned before you need for a installation a license because this
information (license) with a Username as Password must be entered within
the setup/installation script as the source can be officialy only
downloaded with a corresponding login which you receive if you buy the
license. If you have the login/license the source is downloadable over
following link:
http://downloads.sophos.com/inst/EbQZBpI+_EzUJ3idY6topQZD00ODg3/sav-linux-9-i386.tgz
NOTE There is only a i386 file not 64bit file available!
Of course the Username as Password for the license can also be entered
in a seperate step (see how to do it at the end of this how-to). This
means also to test etc. you can also install the stuff without entering
the information of Username and Password but you will not receive
updates from update server! Create a temp directory end extract the
source:
# cd /root
# gzip -dc sav-linux-9-i386.tgz | tar xvf -
# cd sophos-av
# ./install.sh
NOTE if you use "./install --help" you see the options which can
be used for the installation! For the installation
itself please be careful that you DO NOT use the "on-access
scanner" as the "Sophos Anti-Virus GUI". The Gui
can be deactivated if you DO NOT define a corresponding
password for the access!
Lets show how the installation runs:
--------------- install.sh ---------------
Sophos Anti-Virus
=================
Copyright (c) 1989-2015 Sophos Limited. All rights reserved.
Welcome to the Sophos Anti-Virus installer. Sophos Anti-Virus
contains an on-access scanner, an on-demand command-
line scanner, the Sophos Anti-Virus daemon, and the Sophos
Anti-Virus GUI.
On-access scanner Scans files as they are accessed, and
grants access
to only those that are threat-free.
On-demand scanner Scans the computer, or parts of the
computer,
immediately.
Sophos Anti-Virus daemon Background process that provides
control, logging,
and email alerting for Sophos
Anti-Virus.
Sophos Anti-Virus GUI User interface accessed through a web
browser.
Press <return> to display Licence. Then press <spc> to scroll
forward.
NOTE You can use "Q" that you don't have to scroll through the
License Agreement :-)
Do you accept the licence? Yes(Y)/No(N) [N]
> y
Where do you want to install Sophos Anti-Virus? [/opt/sophos-av]
> /opt/sophos-av
Do you want to enable on-access scanning? Yes(Y)/No(N) [Y]
> N
On-access scanning disabled. Use savscan for on-demand scanning.
Sophos Anti-Virus GUI is accessible at http://localhost:8081/
from your web browser.
You must now enter a username/password for Sophos Anti-Virus
GUI. If you enter a blank password, the Sophos Anti-
Virus GUI will be disabled.
Username for Sophos Anti-Virus GUI? [admin]
> "DO NOT DEFINE ANYTHING TO DEACTIVATE THE GUI USE ENTER"
Password for Sophos Anti-Virus GUI?
> "DO NOT DEFINE ANYTHING TO DEACTIVATE THE GUI USE ENTER"
If you enter a blank password, the Sophos Anti-Virus GUI will be
disabled.
Password for Sophos Anti-Virus GUI?
> "DO NOT DEFINE ANYTHING TO DEACTIVATE THE GUI USE ENTER"
Disabling Sophos Anti-Virus GUI because no password was
provided. To enable it run /opt/sophos-av/bin/savsetup
Sophos recommends that you configure Sophos Anti-Virus to
auto-update.
It can update either from Sophos directly (requiring
username/password details) or from your own server (directory or
website (possibly requiring username/password)).
Which type of auto-updating do you want? From Sophos(s)/From own
server(o)/None(n) [s]
> '''s'''
--------------- install.sh ---------------
NOTE After "s" you have to enter the license information which
means this Username and Password will be delivered within a
PDF if you buy the license.
User [Username]
Passwort [Password]
After that final step the installation will be done in "/opt/sophos-av".
The installation adds a addtional user as group to the system:
# cat /etc/passwd | grep sophos
sophosav:x:301:2002:Sophos Anti-virus:/opt/sophos-av:/bin/bash
# cat /etc/group | grep sophos
sophosav:x:2002
The "Sophos Anti-Virus" Client can be configured over command line with
different tools. The logs can be viewed with the tool "savlog" as with
correspondig options:
# /opt/sophos-av/bin/savlog --help
savlog: Display the Sophos Anti-Virus log
Usage: savlog [OPTION] ...
OPTION:
--help Display this help information
--version Display the version and copyright
information
--lang-neutral Export the log in a language neutral XML
format
--utc Display the time and date in UTC
--today Restrict log messages to those in the
last 24 hours
--maxage=NUMBER Restrict log messages to those in the
last 24 * NUMBER
hours
--after=NUMBER Restrict log messages to those NUMBER
seconds after
1 January 1970 00:00:00.00
--after=HH:MM[:SS] Restrict log messages to those after the
given time today
--before=NUMBER Restrict log messages to those before
NUMBER seconds
after 1 January 1970 00:00:00.00
--before=HH:MM[:SS] Restrict log messages to those before the
given time
today
--category=STRING Restrict log messages to those whose
category starts
with STRING
--systemLog Display the syslog (/var/log/messages)
rather than the
product log
--namedscan=NAME Display log messages for the specified
named scan
--noHeader Don't display column headings
-N Restrict log messages to N most recent
entries
Remeber the logs can be viewed with "savlog" but it does not configure
your logs. Let's say we would like to see the logs in Time UTC as Logs
for the last 7 days:
# /opt/sophos-av/bin/savlog --utc --maxage=7
Check if the "On-Access scanner" is not active. This is absolutly
important and fundamental. Please do not use the "On-Access scanner":
# /opt/sophos-av/bin/savdstatus --verbose
Sophos Anti-Virus daemon is active
On-access scanning is not running
If you need this "On-Access scanner" for any reason you can activate it
with the below command but please be aware that you DO NOT USE it for
our "amavisd" installation:
# /opt/sophos-av/bin/savdctl disable
The configuration for "Sophos Anti-Virus" is located in the directory
"/opt/sophos-av/etc" within the file "savd.cfg". This file is a xml
formated file and can be directly edit but easier is to use the
corresponding command line tool called "savconfig":
# /opt/sophos-av/bin/savconfig --help
savconfig: Configure Sophos Anti-Virus
Usage: savconfig [OPTION] ... [OPERATION] [PARAMETER] [VALUE]
OPTION:
--[no]append Set append mode
--[no]lock Prevent override by user
-u, --user Access the User layer
-c, --corporate Access the Corporate layer
-U, --consoleupdate Access the Console Update Policy layer
-A, --consoleav Access the Console Anti-virus Policy layer
-s, --sophos Access the Sophos layer
-f, --configfile Use alternative configuration file
-v, --all Display values of, or help for, basic
parameters
--advanced Display values of, or help for, advanced
parameters
Also:
-F, --readfromfile Substitute argument with value read from
file
OPERATION:
set Set a parameter
update Update a named scan
add Append a value to a list parameter
remove Remove a value from a list parameter
delete Remove a parameter
query/get Output the value of a parameter
help Display this help information
The query operation can be used without parameters to list all
configured
values.
The help operation can provide further information on any
parameter that you
specify, or on all parameters when you combine the operation
with the '-v' or
'--all' option.
For more information have a look to the installation guide:
savl_9_cgeng.pdf
If you like to see the current configuration of "Sophos Anti-Virus" use
following command:
# /opt/sophos-av/bin/savconfig --all
Email: root at localhost
EmailDemandSummaryIfThreat: true
EmailLanguage: English
EmailNotifier: true
EmailServer: localhost:25
EnableOnStart: false
ExclusionEncodings: UTF-8
EUC-JP
ISO-8859-1
LogMaxSizeMB: 100
NotifyOnUpdate: false
PrimaryUpdateSourcePath: sophos:
PrimaryUpdateUsername: XGJ439H5TX
PrimaryUpdatePassword: ********
SendErrorEmail: true
SendThreatEmail: true
UINotifier: true
UIpopupNotification: true
UIttyNotification: true
UpdatePeriodMinutes: 60
NamedScans Not configured
LiveProtection: enabled
ScanArchives: mixed
For our installation we will configure some stuff like disable Email
notification as Update intervall etc.:
# /opt/sophos-av/bin/savconfig set EmailNotifier disabled
# /opt/sophos-av/bin/savconfig set SendErrorEmail false
# /opt/sophos-av/bin/savconfig set SendThreatEmail false
# /opt/sophos-av/bin/savconfig set UINotifier disabled
# /opt/sophos-av/bin/savconfig set UpdatePeriodMinutes 180
# /opt/sophos-av/bin/savconfig set LogMaxSizeMB 15
# /opt/sophos-av/bin/savconfig set LiveProtection false
# /opt/sophos-av/bin/savconfig set DisableFeedback true
As mentioned already this configuration will be written directly to
"/opt/sophos-av/etc/savd.cfg". After using the commands before check
again the current config:
# /opt/sophos-av/bin/savconfig --all
Email: root at localhost
EmailDemandSummaryIfThreat: true
EmailLanguage: English
EmailNotifier: true
EmailServer: localhost:25
EnableOnStart: false
ExclusionEncodings: UTF-8
EUC-JP
ISO-8859-1
LogMaxSizeMB: 15
NotifyOnUpdate: false
PrimaryUpdateSourcePath: sophos:
PrimaryUpdateUsername: [Your Username]
PrimaryUpdatePassword: ********
SendErrorEmail: false
SendThreatEmail: false
UINotifier: true
UIpopupNotification: true
UIttyNotification: true
UpdatePeriodMinutes: 180
NamedScans Not configured
LiveProtection: enabled
ScanArchives: mixed
With below command you can force - if you have entered the license
information - a manuell Update of the "Sophos Anti-Virus" Engine as
Virusdefinition":
# /opt/sophos-av/bin/savupdate
The installation itself installed scripts for start/stop within the
directory "/etc/init.d/". Please adjust the rights of the script:
# chmod 755 /etc/init.d/sav-*
For testing purpose you can now start the first time the "Sophos
Anti-Virus" without "Gui" as with deactivated "On-Access scanner":
# /etc/init.d/sav-protect start
Check if the deamon is running:
# ps -ef | grep savscand
root 12288 12250 0 13:15 ? 00:00:00 savscand
--incident=unix://tmp/incident
--namedscan=unix://root@tmp/namedscansprocessor.0
--ondemandcontrol=socketpair://35/36
If you have problems check the logs:
/opt/sophos-av/log
I preffer to have logs in "/var/log" instaed of above directory. We move
logs to "/var/log":
# /etc/init.d/sav-protect stop
# mv /opt/sophos-av/log /var/log/sophos-av
# ln -s /var/log/sophos-av/ /opt/sophos-av/log
# /etc/init.d/sav-protect start
The installation of "Sophos Anti-Virus" is done but we are not finished
to use it with "amavisd". Please go ahead with the next step!
==== Installation of "savdi" Interface (SSSP/ICAP) for "Sophos
Anti-Virus 9" ====
The "savdi" Interface is from one point of view based on SSSP (Port
4010) as ICAP (4020). This means from comunication point of view also
following: "amavisd" will comunicate with "127.0.0.1:4010" with the
"savdi" Interface and this interface will forward the information to
"Sophos Anti-Virus" to the "ICAP" Interface which means
"127.0.0.1:4020". Because of these comunication interfaces it is
possible to install the "savdi" interface on a seperate server and use
server IP's instaed of "127.0.0.1". In this way you can reach a high
scale as higher performance. This how-to proceeds with the local
installation of "savdi" which means "Sophos Anti-Virus" as "savdi" are
both installed on the Kolab server. By the way both are using minimum of
memory and resources from this point of view no problem. To install
"savdi" you have to download the source from Sophos:
http://downloads.sophos.com/inst/EbQZBpI+_EzUJ3idY6topQZD00ODg3/savdi-linux-32bit.tar
http://downloads.sophos.com/inst/EbQZBpI+_EzUJ3idY6topQZD00ODg3/savdi-linux-64bit.tar
If you run the installation script (./savdi_install.sh) without
parameters the stuff will be installed in following directories:
/usr/lib/
/bin
/savdi
I do not like to have this stuff within this directories which means we
will use a PREFIX. If you do so you have to be careful about PATH
variables which must be covered. We will install the "savdi" prog to
"/opt/sophos-savdi". For this we need some manuel created directories as
soft link (to cover PATH variable):
NOTE Please use the correct file for the installation which
means if you use on a 32bit the 64bit file or the otherway
arround you will receive a error regarding "libsavi.so.3".
Because the "Sophos Anti-Virus" was done with 32bit we
use 32bit file!
# mkdir /opt/sophos-savdi
# mkdir /opt/sophos-savdi/lib
# ln -s /opt/sophos-av/lib/libsavi.so.3 /usr/lib/libsavi.so.3
# ln -s /opt/sophos-av/lib/libssp.so.0 /usr/lib/libssp.so.0
# ln -s /opt/sophos-av/lib/libssp.so.0
/opt/sophos-savdi/lib/libssp.so.0
Create a temporary directory as extract the source and run installation
with the PREFIX (use "./savdi_install.sh -h" to see Options for
installation):
# cd /root
# mkdir /root/savdi
# cd /root/savdi
# tar xvf savdi-23-linux-32bit.tar
# cd /root/savdi-install
# ./savdi_install.sh -v -d /opt/sophos-savdi
Let's see how the installation runs:
--------------- savdi_install.sh ---------------
Sophos Anti-Virus SAVI daemon installation utility [Linux/Intel]
Copyright (c) 2006-2015 Sophos Limited, Oxford, England
Reading installation text
Checking libraries are installed
libsavi: /usr/lib/libsavi.so.3
Checking virus data is installed
Virus data: /opt/sophos-av/lib/sav
Binaries will be installed in '/opt/sophos-savdi/bin'
Message text will be installed in '/opt/sophos-savdi/savdi'
SAVI daemon will be installed
===> Installing binaries
Created directory /opt/sophos-savdi/bin
savdid copied to /opt/sophos-savdi/bin/savdid
===> Installing messages
Created directory /opt/sophos-savdi/savdi
savdidlang_en.txt copied to
/opt/sophos-savdi/savdi/savdidlang_en.txt
/var/tmp/savdid.conf copied to
/opt/sophos-savdi/savdi/savdid.conf
===> Checking paths are accessible
Warning: $PATH does not include /opt/sophos-savdi/bin
To run Sophos Anti-Virus you need to set environment
variable $PATH so
that it includes /opt/sophos-savdi/bin.
Warning: Virus data found at /opt/sophos-av/lib/sav
The SAVI daemon may fail to find the virus data unless
you update its
configuration file (savdid.conf) with the location of
the virus data.
Some environment variables may need to be set on your system. To
make these
settings permanent, add them to your login script or profile; to
make these
settings systemwide, amend /etc/login or /etc/profile.
--------------- savdi_install.sh ---------------
We have some warnings about PATH which can be solved easy with following
links:
# ln -s /opt/sophos-savdi/savdi/ /usr/local/savdi
# ln -s /opt/sophos-savdi/bin/savdid /usr/local/bin/savdid
Now "savdi" can be/must be configured with the file "savdid.conf". Let's
make a copy of the original file first:
# cp -p /opt/sophos-savdi/savdi/savdid.conf
/opt/sophos-savdi/savdi/savdid.conf.orig
Now you can configure "savdi" like shown below but please go through the
config to look if it covers your need. This has to be done also
specially for remote server installation to cover such a installation.
There is also a documentation on "savdi" which explains the different
configuration points:
SAVDI for dummies.docx
# vi /opt/sophos-savdi/savdi/savdid.conf
--------------- /opt/sophos-savdi/savdi/savdid.conf
---------------
#
# Sample configuration file for use on *nix systems
#
#
# The name of a file to hold the process ID
# Only used when running in daemon mode
# Default is /var/run/savdid.pid
pidfile: /export/kolab/spool/amavisd/sssp.sock
# User name and group for daemon to switch to for normal running
# savdi must be running as root for this to be useful
user: amavis
group: amavis
# No of worker threads to start up
# Normally should be at least the maximum no of clients
# Default is 3
threadcount: 3
# Maximum no of connections/sessions to queue up
# Further connections will be rejected
maxqueuedsessions: 3
# Where to find the virus data if it is held somewhere other
than normal
# These options can be specified under the savi configuration
but that
# is not advised.
# NB The following two lines may be modified by the *nix install
script
virusdatadir: /opt/sophos-av/lib/sav
idedir: /opt/sophos-av/lib/sav
#virusdataname: vdl
# What to do when the daemon must exit
# Options are:-
# DONTWAIT (just exit now!)
# REQUEST (wait for current requests to complete)
# SESSION (wait for current sessions to complete)
# Case 1) An exception has occurred and operation could be
compromised
onexception: REQUEST
# Case 2) A request has been made for it to exit
# If there are long running sessions then REQUEST should be
considered
onrequest: REQUEST
log {
# Specify the logging mechanism {CONSOLE|FILE|SYSLOG}
type: FILE
# Where to write the log files (if FILE is selected)
logdir: /var/log/savdi/
# Specify the level of logging required
# 0 = errors+threats
# 1 = (0) + process events
# 2 = (1) + session events
# Default is 2
loglevel: 2
}
# Define a IP channel for localhost
channel {
# Send to the log requests received from clients
# For debugging. Default: NO
# logrequests: YES
logrequests: YES
commprotocol {
type: IP
# IP Address to listen on, default is 0.0.0.0 (any)
address: 127.0.0.1
port: 4020
# Subnet of acceptable client IP addresses.
# Default is to accept from any client.
subnet: 127.0.0.1/24
# idle timeout in secs when waiting for a request
# 0 is forever. Default: 0
requesttimeout: 120
# timeout in secs between characters when sending data
sendtimeout: 2
# idle timeout in secs between characters when receiving
data
recvtimeout: 10
}
service {
# The name of the service, arbitrary as long as the
client
# uses the same name.
name: sophos
# The type of service, for now can only be avscan
type: avscan
scanprotocol {
# The type of protocol in use. Can only be ICAP.
type: ICAP
# Version of the configuration for this service.
# Update when changes are made that may alter the
# result returned to the client. Default: XXX
version: 1.02
# Objects sent for scanning can be retained if they
are
# infected or cause the service a problem. Allowed
values
# are NONE, MALWARE, PROBLEM, ALL. ALL meaning both
# MALWARE and PROBLEM. Default: NONE
# retain: NONE
# A list of file extensions for files which the
client
# should not send to this server. The list is sent
as-is
# to the client. See ICAP Transfer-Ignore header. A
# Transfer-Complete: * header is automatically
added.
# Default is none.
# dontsend: .jpg, .gif, .bmp, .tiff
# 204 is the ICAP code indicating that the object
# sent for processing is unmodified and OK and will
# not be returned to the client. Default: NO
# allow204: NO
# Don't automatically close the connection after a
# transaction. Default: NO
keepalive: YES
# Maximum permitted size, in bytes, of the body in a
request.
# Zero is no limit. Default: 0
# maxbodysize: 0
# Maximum amount of memory, in bytes, to use for an
object, before
# putting it into a temporary file. Default: 1000000
#maxmemorysize: 1024
# Maximum size of the chunks, in bytes, for returned
data, 0 is
# no maximum. Default: 0
# maxchunksize: 0
# Where to place and name temporary files
# Default: <standard temp directory>/SAVDI_
# On *nix systems: /var/tmp/SAVDI_
# tmpfilestub: /var/tmp/savdi/files/icap_
# The block-* options determine what to do with
files
# that result in some sort of error.
# Any of these files may be infected.
# NB Files identified as malware are always blocked.
# Treat zip-bombs as malignant. Zip-bombs are
compressed
# files that have many files which are vary highly
# compressed. They are intended to either deny use
of
# a scanner by keeping it occupied for excessive
periods
# or use excessive resources, such as disc space on
the
# end-point. Default: YES
block-bombs: YES
# Block encrypted files. Encrypted files cannot be
scanned
# and may harbour malware. Default: NO
block-encrypted: NO
# Block corrupt files. Some files are simply
corrupt, others
# may not conform to the standard, or one of its
known
# variants, but may still be usable. Default: NO
block-corrupt: NO
# Block timeouts. It took too long to scan the file
and
# the scan was terminated early. (See the
maxscantime
# option in the scanner section.) Default: YES
block-timeouts: NO
# The AV engine returned some other error. Scanning
of the
# file possibly did not complete. Default: YES
block-errors: NO
# The AV engine caused an exception. Exceptions can
be
# considered as errors that were not caught in time.
# Scanning of the file did not complete. Default:
YES
block-exceptions: NO
# At least one client (c-icap) seems to always
expect a
# body, even an empty one. Default: NO
# forceemptybody: YES
}
scanner {
# See the SAVDI documentation for details for
configuring
# SAVI
type: SAVI
inprocess: YES
# Turn on auto-stop, ie zip-bomb detection
savists: enableautostop 1
# Turn on most of the other options
savigrp: grpsuper 1
# Limit the time taken to scan a file to this number
of seconds
# Zero is forever. Default: 0
# maxscantime: 0
}
}
# Other services with different configurations can be
defined
# service {
# name: sophosdef
# type: avscan
#
# scanprotocol {
# type: ICAP
# keepalive: YES
# allow204: NO
# maxmemorysize: 1000000
# maxchunksize: 1000
# }
#
# scanner {
# type: SAVI
# inprocess: YES
# }
# }
}
#
# Define an IP channel for SSSP
#
channel {
commprotocol {
type: IP
# IP Address to listen on, default is 0.0.0.0 (any)
address: 127.0.0.1
port: 4010
# Subnet of acceptable client IP addresses
subnet: 127.0.0.1/24
# idle timeout in secs when waiting for a request
# 0, the default, is forever
requesttimeout: 120
# timeout in secs between characters when sending data
sendtimeout: 2
# idle timeout in secs between characters when receiving
data
recvtimeout: 5
}
scanprotocol {
type: SSSP
# Do we allow the client to use SCANFILE?
allowscanfile: SUBDIR
# Do we allow the client to use SCANDATA?
allowscandata: YES
# If SCANDATA is allowed:-
# maximum amount of data, in bytes, the client
can send
maxscandata: 500000
# maximum amount, in bytes, to held in memory before
using a temp file
maxmemorysize: 250000
# path name and stub for generating temp file names.
tmpfilestub: /tmp/savid_tmp
# Log each request made by a client?
# logrequests: YES
}
scanner {
# type and inprocess can only be SAVI and YES for now
type: SAVI
inprocess: YES
# Max time to be allowed for scanning a single file
maxscantime: 3
# Max time in seconds to be allowed to complete a
request
maxrequesttime: 10
# Deny scanning of /dev and my home directory
# except for the test directory, Everything else
# is allowed
# If deny is used then everything else is allowed unless
# explicitly denied
# If allow is used then everything else is denied unless
# explicitly allowed.
# If a directory tree is allowed, sub-trees may be
explicitly
# denied, but the converse is not true. If a directory
tree
# is denied it is not possible to allow subtrees.
deny: /dev
deny: /home
# allow: /home/specialuser
#Some SAVI/Engine options
savigrp: GrpArchiveUnpack 0
savigrp: GrpInternet 1
savists: Xml 1
}
}
--------------- /opt/sophos-savdi/savdi/savdid.conf
---------------
Within the config there is defined a log directory which does not
exists. Please create this log directory:
# mkdir /var/log/savdi/
# chown vscan:vscan /var/log/savdi
# chmod 755 /var/log/savdi
For "savdi" will be not installed a start/stop script. But the "savdi"
binary has some options which can be used to create a start/stop script:
# /opt/sophos-savdi/bin/savdid -h
Usage: savdid [-d] [-c CONFIG_FILE] [-f PIDFILE] [-l] [-V] [-p]
[-s]
-d will run savdid as a daemon
-c use the CONFIG_FILE configuration file.
-f to specify the file to use to hold the active PID.
-l log to CONSOLE.
-V print Version information and exit.
-p print configuration help and exit.
-s suppresses the initial version and copyright info.
Refrencing to this options you can test "savdi" to verify if all is
working fine:
# /opt/sophos-savdi/bin/savdid -l -c
/opt/sophos-savdi/savdi/savdid.conf
SAV Dynamic Interface 2.3.0
Copyright 2000-2015 Sophos Limited. All rights reserved
151217:131053 00034407 Process starting
PID: 11898
This option "l" starts "savdi" not as deamon instaed within the
"console". Stop "savdi" with:
Ctrl + C
If you verified all you can start "savdi" as Deamon with following
command:
# /opt/sophos-savdi/bin/savdid -d -s -c
/opt/sophos-savdi/savdi/savdid.conf
Check the start within the log file:
# ls -la /var/log/savdi/
Check if "savdi" Deamons are up and running:
# ps -ef | grep savdid
root 12014 1 0 13:12 ? 00:00:00
/opt/sophos-savdi/bin/savdid -d -s -c
/opt/sophos-savdi/savdi/savdid.conf
vscan 12015 12014 35 13:12 ? 00:00:06
/opt/sophos-savdi/bin/savdid -s -c /opt/sophos-savdi/savdi/savdid.conf
-x
Check if the SSSP as ICAP interface are available:
# netstat -an | grep 4010
tcp 0 0 127.0.0.1:4010 0.0.0.0:*
LISTEN
# netstat -an | grep 4020
tcp 0 0 0.0.0.0:4020 0.0.0.0:*
LISTEN
Check if pid file is created and on the right place or exists:
# ls -la /export/amavis/sssp.sock
-rw-r--r-- 1 root root 5 Dec 17 13:20 /export/amavis/sssp.sock
Now start the "Sophos Anti-Virus" client:
# /etc/init.d/sav-protect start
Starting Sophos Anti-Virus daemon: [ OK ]
Now you can integrate "savdi" within "amavisd" as primary scanner with
127.0.0.1:4010 as backup scanner with command line scanner (local only
no remote server support):
# vi /opt/amavisd-2.10.1/etc/amavisd.conf
--------------- /opt/amavisd-2.10.1/etc/amavisd.conf
---------------
@av_scanners = (
### http://www.sophos.com/
['Sophos-SSSP', # SAV Dynamic Interface
\&ask_daemon, ["{}", 'sssp:[127.0.0.1]:4010'],
qr/^DONE OK\b/m, qr/^VIRUS\b/m, qr/^VIRUS\s*(\S*)/m ],
)
@av_scanners_backup = (
### http://www.sophos.com/
['Sophos Anti Virus (savscan)', # formerly known as 'sweep'
['/opt/sophos-av/bin/savscan', 'savscan'], # 'sweep'
'-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
'--no-reset-atime {}',
[0,2], qr/Virus .*? found/m,
qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
],
# other options to consider: -idedir=/usr/local/sav
# A name 'sweep' clashes with a name of an audio editor
(Debian and FreeBSD).
# Make sure the correct 'sweep' is found in the path if using
the old name.
)
--------------- /opt/amavisd-2.10.1/etc/amavisd.conf
---------------
Do a restart of "amavisd" that our config will become active:
# service amavisd restart
Check the logs of "amavisd" if our primary scanner as backup scanner
will be recognized by "amavisd":
# tail -f /var/log/amavisd/amavis.log
Dec 17 13:25:01 stratos.comcept.ch
/opt/amavisd-2.10.1/sbin/amavisd[12353]: Using primary internal av
scanner code for Sophos-SSSP
Dec 17 13:25:01 stratos.comcept.ch
/opt/amavisd-2.10.1/sbin/amavisd[12353]: Found secondary av scanner
Sophos Anti Virus (savscan) at /opt/sophos-av/bin/savscan
Now you can test the scann on command line with the EICAR Test string
which means create a txt file on command line and add the EICAR test
string as send a mail to a mailbox:
http://www.eicar.org/86-0-Intended-use.html
# echo [EICAR Test Strign] > /export/sysop/virus.txt
# cat /export/sysop/virus.txt | /usr/sbin/sendmail
user at mydomain.ch
Check in realtime the logs for "amavisd":
# tail -f /var/log/amavisd/amavis.log
Dec 17 14:00:51 stratos.comcept.ch
/opt/amavisd-2.10.1/sbin/amavisd[12845]: (12845-01) run_av
(Sophos-SSSP):
/export/amavis/tmp/amavis-20151217T140051-12845-pAc8IMUN/parts
INFECTED:EICAR-AV-Test
Dec 17 14:00:51 stratos.comcept.ch
/opt/amavisd-2.10.1/sbin/amavisd[12845]: (12845-01) virus_scan:
(EICAR-AV-Test), detected by 1 scanners: Sophos-SSSP
Also check in realtime the logs for "savdid":
# tail -f /var/log/savdi/[date of day log]
If all is fine create a start/stop script for "savdi":
# vi /etc/init.d/savdid
--------------- /etc/init.d/savdid ---------------
#!/bin/sh
#
# savdid This shell script takes care of starting and
stopping
# savdid.
case "$1" in
'start')
echo "Starting savdid in port 4010 / 4020: "
/opt/sophos-savdi/bin/savdid -d -s -c
/opt/sophos-savdi/savdi/savdid.conf
echo "savdid was started in port 4010 / 4020: "
;;
'stop')
echo "Shutting down savdid in port 4010 / 4020: "
kill `cat /export/amavis/sssp.sock`
echo "savdid was terminating in port 4010 / 4020: "
;;
'restart')
echo "Restart savdid in port 4010 / 4020: "
kill -HUP `cat /export/amavis/sssp.sock`
echo "savdid was restarted in port 4010 / 4020: "
;;
*)
echo "Usage: $0 savdid { start | stop | restart }"
exit 1
;;
esac
exit 0
--------------- /etc/init.d/savdid ---------------
Check the rights for the start script:
# chown root:root /etc/init.d/savdid
# chmod 755 /etc/init.d/savdid
Create within the RC Levels corresponding entries that "savdid" will be
startet automatically if server ist started:
# cd /etc/rc0.d/
# ln -s ../init.d/savdid /etc/rc0.d/K87savdid
# cd /etc/rc1.d/
# ln -s ../init.d/savdid /etc/rc1.d/K87savdid
# cd /etc/rc3.d/
# ln -s ../init.d/savdid /etc/rc3.d/S13savdid
# cd /etc/rc6.d/
# ln -s ../init.d/savdid /etc/rc6.d/K87savdid
Test the start/stop script:
# /etc/init.d/savdid stop | start | restart
Chek the logs of "savdid" regarding stop/start:
/var/log/savdi/
Keep in mind that you need always to start "sav-protect" first and
afterwards "savdid" which means also:
# /etc/init.d/savdid stop
# /etc/init.d/sav-protect stop
# /etc/init.d/sav-protect start
# /etc/init.d/savdid start
==== "Renew Subscription" für "Sophos Anti-Virus 9" ====
If you need to renew subscription of license the Username and Password
must be new entered with the config which means:
# /opt/sophos-av/bin/savconfig --all
Email: root at localhost
EmailDemandSummaryIfThreat: true
EmailLanguage: English
EmailNotifier: true
EmailServer: localhost:25
EnableOnStart: false
ExclusionEncodings: UTF-8
EUC-JP
ISO-8859-1
LogMaxSizeMB: 15
NotifyOnUpdate: false
PrimaryUpdateSourcePath: sophos:
PrimaryUpdateUsername: [Username]
PrimaryUpdatePassword: ********
SendErrorEmail: false
SendThreatEmail: false
UINotifier: true
UIpopupNotification: true
UIttyNotification: true
UpdatePeriodMinutes: 180
NamedScans Not configured
LiveProtection: enabled
ScanArchives: mixed
Now set Username and Passwort for the license with the corresponding
parameters "PrimaryUpdateUsername" as "PrimaryUpdatePassword":
# /opt/sophos-av/bin/savconfig set PrimaryUpdateUsername [Neuer
Username für Subscription]
# /opt/sophos-av/bin/savconfig set PrimaryUpdatePassword [Neues
Passwort für Subscription]
# /etc/init.d/savdid stop
# /etc/init.d/sav-protect stop
# /etc/init.d/sav-protect start
# /etc/init.d/savdid start
Hope you enjoy this how-to and probably helps you to get a addtional
Antivirus Scanner to the Kolab Installation you need a scalable
installation!
--
Mit freundlichen Grüssen
Andrea
More information about the users
mailing list