This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Linux on-demand scan vs named scan

I was setting up a sophos named scan for our Red Hat Linux environment but I noticed that in the named scan there is no option to quarantine a file if it is found to be infected. I only see threataction=donothing|delete. Our security posture is to quarantine infected files - am I missing something?

Or should I go with on-demand scans then? With on-demand scanning I see there is an option to --quarantine and -move=/path/to/move/infected/files/to. In the install pdf it even references doing this in a crontab, but its a dead link: To schedule an on-demand scan, use the command crontab. For details, see Sophos supportknowledgebase article 12176.  Anything special about running this in a crontab?

savscan -di -ns -nc -all -rec -nremove --stay-on-machine --quarantine -move=/opt/sophos-av/quarantine -bs -sc -f -p /opt/sophos-av/log/weekly-scan.log

Thanks.

Joe.



This thread was automatically locked due to age.
Parents
  • Hello Joe,

    first a question (or two questions):
    Our security posture is to quarantine infected files - how do these potentially infected files get onto the Linux machine and what's their prospective use? From you savscan command I glean you intend to scan once per week. In the worst case a threat could reside on the machine for seven days until it is detected (and quarantined). Is on-access scanning disabled?

    As to crontab, haven't tried it but there's nothing special. You should specify the path (don't rely upon it defaulting to "/") and of course savscan must be executed under a user with sufficient permissions.

    Christian

Reply
  • Hello Joe,

    first a question (or two questions):
    Our security posture is to quarantine infected files - how do these potentially infected files get onto the Linux machine and what's their prospective use? From you savscan command I glean you intend to scan once per week. In the worst case a threat could reside on the machine for seven days until it is detected (and quarantined). Is on-access scanning disabled?

    As to crontab, haven't tried it but there's nothing special. You should specify the path (don't rely upon it defaulting to "/") and of course savscan must be executed under a user with sufficient permissions.

    Christian

Children
No Data