talpa-deny errors preventing backups on ubuntu 20.04

I run sophos free SAV: 9.16.2, Engine: 3.79.0, Data: 5.77 , with talpa . Sophos Anti-Virus is active and on-access scanning is running

I use 7z to backup my files on ubuntu 20.04. Some of these files are from wine, and get talpa-deny errors in the system log, causing the backup to report timeouts, lock up and then have to be stopped.  However, I don't get virus alerts for these talpa-deny events.

An example from the syslog (my directory being replaced by .....) is:

kernel: [ 5994.994356] talpa-deny: Timeout occurred while opening ......../.wine/drive_c/windows/syswow64/mmdevldr.vxd on behalf of process 7z[7429/7429] owned by 1000(1000)/1000(1000) <62>

How can I
a) detect this better than just getting a syslog error
b) prevent it from happening

  • Hi  

    Free SAV for Linux and its support has been retired (For more info please see: https://support.sophos.com/support/s/article/KB-000034795?language=en_US). I would request you to kindly upgrade to the standalone Linux/Unix endpoint or Central/Enterprise Console managed endpoint.

    Thanks,

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • That's an unexpected blow.

    I've had a look at your home page and can't find the product you mention by that name.  I assume you mean Intercept X.

    Is there no product that I can install on a linux laptop, one desktop and one server?  I'm not averse to paying a bit, but certainly don't want to start adding extra boxes to my network, not least because my laptop isn't always at home.  Could you please advise whether Sophos still provide products for this type of use or not.  

  • Hi  

    Unfortunately, the free version of Sophos Antivirus for Linux has been discontinued. You can install the standalone version of the Sophos Anti-Virus as mentioned in this article

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Thanks, but I'm afraid this is as clear as mud to me.  The 'free' version is, as far as I can tell, the same as the standalone version, just without support, and always has been.  The SAV software is, according to the article you referred me to, reaching EOL in 2023.  Before then I assume I will still get updates in the normal way.  Is that not right?

    There are other threads on this topic, such as https://community.sophos.com/products/free-antivirus-tools-for-desktops/f/sophos-free-tools/121788/sav-for-linux-free-edition-is-discontinued

    I would ask SOPHOS to come out and be really clear what they intend to sell and support for standalone use on Linux.

    There is a free Windows/MAC version, and a free Android version.  I don't see any reference to EOL for them.  What's with linux?

    If SOPHOS really don't want to work with non-business standalone users maybe they should just say so clearly so we can all go off and find some other free or paid version.

  • Hello Shweta and pastim,

    unfortunately this article, while correct at the time of writing, is improper and at least the Overview part should be rewritten.

    It mentions and links to the Free Tools page but the SAV for Linux section has since been removed.

    It's not stated that the stand-alone installer is only available with one of the on-premise managed product licenses. Furthermore it should note that this applies only to existing licenses as these products are no longer on sale.

    @pastim:
    You probably know I'm not Sophos so this is my guess only. As to a Linux Home version like the ones for Windows and macOS. For one thing SAV for Linux lacks a GUI and doesn't have the look and feel of a typical "home" product. A quite different aspect is that there is no real desktop/server distinction on Linux. AFAIK Central (the business product line) considers any Linux endpoint to be a server - with the associated license fees.
    Perhaps insufficient ROI is expected from developing a home/desktop desktop branch that is given away for free or licensed at "home" rates.

    Last but not least the talpa-deny. You enquired about it already four years ago, didn't you? Guess the scanner doesn't report these errors as they are something that "shouldn't happen" and apparently they affect both the scanner and the process accessing the file.
    You could perhaps exclude the path(s) from on-access scanning while the backup is running.

    Christian

  • Christian, 

    Thanks very much.  From what you say I gather there will be no stand alone Sophos for Linux at all (paid or free) once EOL is reached in 2023, so I'll need to look fo something else in the next couple of years.  No rush.

    I have completely forgotten reporting on talpa-deny in the past - my memory is pretty bad at the best of times.  I'll see what I can do to exclude the directories from access scanning during backups.


  • I'm not wholly rejecting Christian's answer to my question.  However, un-alerted talpa-deny errors seem to me to be bugs, and so a report of this nature should really stand until the bug is fixed.

    However, since there's never been any support for the free version, and presumably even less now it's unavailable, that isn't going to help me much.

    So the technique to avoid the issue will have to suffice.  Thanks.

    I wonder how answers get marked as 'the answer'.  By computer?  By moderator?  I might have thought someone would expect the originator of the thread to be responsible for doing that. Naive of me.

  • Hi  

    I can understand your situation and I have marked QC's answer as a verified answer. I'll reach out to the concerned team to get the KB article updated with more information. I thank you for your cooperation and understanding. 

    Thanks,

    Yashraj Singha

    Community Team Lead, Support & Services| Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hello pastim,

    un-alerted talpa-deny errors seem to me to be bugs
    I'm a Talpa-ἰδιώτης (if you're looking for an expert is one), never encountered such errors and thus can only conjecture what they signify. If I had to guess I'd say an unexpected timeout resulted in the decision to deny access. Unexpected in the sense that preceding operations on the file succeeded and thus a reopen should not time out. But I might be completely wrong.
    I don't get virus alerts for these talpa-deny events
    you mean there's no message in the savlog? Talpa is not SAV, I don't think that it's even aware that a savlog exists. And if the scanner is already done with the file it probably no longer communicates with Talpa.

    I'm not sure if there is what could be called a bug (some things simply don't go together) and if, where it is. If it's not in Talpa or SAV then Sophos can't fix it.

    marked as 'the answer'.  By computer?  By moderator?
    It wasn't me [:)]. Ah, Yashraj just confessed. Do you as originator have the option to reject the answer? I don't have questions so I could never check [:P]. I also don't know whether all users see (and can click) the This helped me link (moderators do).
    And BTW - I didn't see your original post as threat, IMO you only started a thread.

    Christian

  • Thanks Christian.  There are messages in the savlog.  

    It is a bug in the sense that it seems to prevent the backup program from reading the file.  It happens every time, not just sometimes.  Weird.

    Apologies for the typo, 'threat' should indeed be 'thread' :-)