sav-protect: service is permanently restarting

Assuming you installed to the default location: Then /opt/sophos-av/log/sav-protect.log might contain some clues about what is failing.

Running /opt/sophos-av/bin/savlog might tell you something, but probably not is syslog isn't showing the problem.

# systemctl status sav-protect 

Might give some info about what is going wrong from systemd's side.

Assuming you installed to the default location: Then /opt/sophos-av/log/sav-protect.log might contain some clues about what is failing.

Running /opt/sophos-av/bin/savlog might tell you something, but probably not is syslog isn't showing the problem.

# systemctl status sav-protect 

Might give some info about what is going wrong from systemd's side.

Hi Douglas,

/opt/sophos-av/log sav-protect.log contains but two lines ( a few minutes ago):

Thu Feb 22 10:56:28 CET 2018
Thu Feb 22 10:56:28 CET 2018

systemctl status sav-protect gives:

● sav-protect.service - "Sophos Anti-Virus daemon"
   Loaded: loaded (/lib/systemd/system/sav-protect.service; enabled; vendor preset: enabled)
   Active: deactivating (stop) since Thu 2018-02-22 11:00:13 CET; 1s ago
     Docs: man:sav-protect
  Process: 100867 ExecStartPost=/opt/sophos-av/engine/.sav-protect.systemd.poststart.sh (code=exited, status=0/SUCCESS)
  Process: 100866 ExecStart=/opt/sophos-av/engine/.sav-protect.systemd.start.sh (code=exited, status=0/SUCCESS)
  Process: 100855 ExecStartPre=/opt/sophos-av/engine/.sav-protect.systemd.prestart.sh (code=exited, status=0/SUCCESS)
 Main PID: 100866 (code=exited, status=0/SUCCESS);         : 100875 (.sav-protect.sy)
    Tasks: 2
   Memory: 1.1M
      CPU: 66ms
   CGroup: /system.slice/sav-protect.service
           └─control
             ├─100875 /bin/sh /opt/sophos-av/engine/.sav-protect.systemd.stop.sh
             └─100878 sleep 2

Feb 22 11:00:13 elearn5 systemd[1]: Starting "Sophos Anti-Virus daemon"...
Feb 22 11:00:13 elearn5 systemd[1]: Started "Sophos Anti-Virus daemon".

I think I understand WHAT it does, but I don't understand WHY ...

Regards

Uli

Hi Uli,

I afraid that hasn't really told me what has gone wrong.

I guess you could try:

systemctl stop sav-protect

/opt/sophos-av/bin/savdctl start --no-daemon

That might output something to show why savd is not working.

Stopping sav-protect stops those mesages in syslog - as expected. But there are no further hints.

Just to get it right: sav-protect is the on-access-scanner!?

We want to use Sophos together with Ilias LMS, so as to prevent learners from uploading malware to our learning system. In Ilias setup I claim 'savscan -all -nc -archive' and 'savscan -all -nc -remove -archive' to get on demand scans. I could omit the on-access-scanner then, couldn't I?

Regards

Uli

Hi Uli,

Savd does more than the on-access scanner, it also schedules updates, and controls scheduled scans.

The second command starts savd directly, without forking, so that we can see if: a) it immediately exits, or b) produces some output.

Thanks,

Douglas.

Hi Douglas,

the second command did not produce any output.

Uli

Hi Uli,

That's weird. 

I guess install strace and run:

strace -f /opt/sophos-av/bin/savdctl start --no-daemon

Might tell us where it's failing.

Hi,

there we are:

root@elearn5:~# strace -f /opt/sophos-av/bin/savdctl start --no-daemon
execve("/opt/sophos-av/bin/savdctl", ["/opt/sophos-av/bin/savdctl", "start", "--no-daemon"], [/* 21 vars */]) = -1 ENOEXEC (Exec format error)
write(2, "strace: exec: Exec format error\n", 32strace: exec: Exec format error
) = 32
exit_group(1)                           = ?
+++ exited with 1 +++

Should we use 'enable' nstead of 'start'?

Hi Uli,

No - enable talks to a running savd, to enable on-access. start runs savd.

Please could you run:

uname -a

arch

getconf LONG_BIT

file -L /sbin/init

dpkg --print-architecture

It looks like something weird is going on with your machine's ability to execute SAV.

root@elearn5:~# uname -a
Linux elearn5 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

root@elearn5:~# arch
x86_64

root@elearn5:~# getconf LONG_BIT
64

root@elearn5:~# file -L /sbin/init
/sbin/init: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=bcaff4962ff2e60856c1058c6b820071f9596c20, stripped

root@elearn5:~# dpkg --print-architecture
amd64

Hi,

That wasn't it then.

cat /proc/mounts

Lets see if /opt is mounted weirdly?

Thanks,

Douglas.