Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 20 replies
  • Subscribers 9 subscribers
  • Views 27055 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sav-protect: service is permanently restarting

Ulrich Agricola

[Ubuntu 16.04 LTS, Sophos free 9]

Hi,

after a fresh install of Sophos free 9 on an Ubuntu server, in /var/log/syslog I get the following lines over and over agein:

Feb 22 09:41:03 elearn5 systemd[1]: sav-protect.service: Service hold-off time over, scheduling restart.
Feb 22 09:41:03 elearn5 systemd[1]: Stopped "Sophos Anti-Virus daemon".
Feb 22 09:41:03 elearn5 systemd[1]: Starting "Sophos Anti-Virus daemon"...
Feb 22 09:41:03 elearn5 systemd[1]: Started "Sophos Anti-Virus daemon".

Seems sav-protect is restarted about every 3 Seconds ...

Does anybody have an idea, what is going wrong ang how I can stop this? Reinstall Sophos?

Regards

Ulrich



This thread was automatically locked due to age.
Parents
  • 0

    Assuming you installed to the default location: Then /opt/sophos-av/log/sav-protect.log might contain some clues about what is failing.

    Running /opt/sophos-av/bin/savlog might tell you something, but probably not is syslog isn't showing the problem.

     

    # systemctl status sav-protect 

    Might give some info about what is going wrong from systemd's side.

  • 0 in reply to DouglasLeeder

    Hi Douglas,

    /opt/sophos-av/log sav-protect.log contains but two lines ( a few minutes ago):

    Thu Feb 22 10:56:28 CET 2018
    Thu Feb 22 10:56:28 CET 2018

     

    systemctl status sav-protect gives:

    ● sav-protect.service - "Sophos Anti-Virus daemon"
       Loaded: loaded (/lib/systemd/system/sav-protect.service; enabled; vendor preset: enabled)
       Active: deactivating (stop) since Thu 2018-02-22 11:00:13 CET; 1s ago
         Docs: man:sav-protect
      Process: 100867 ExecStartPost=/opt/sophos-av/engine/.sav-protect.systemd.poststart.sh (code=exited, status=0/SUCCESS)
      Process: 100866 ExecStart=/opt/sophos-av/engine/.sav-protect.systemd.start.sh (code=exited, status=0/SUCCESS)
      Process: 100855 ExecStartPre=/opt/sophos-av/engine/.sav-protect.systemd.prestart.sh (code=exited, status=0/SUCCESS)
     Main PID: 100866 (code=exited, status=0/SUCCESS);         : 100875 (.sav-protect.sy)
        Tasks: 2
       Memory: 1.1M
          CPU: 66ms
       CGroup: /system.slice/sav-protect.service
               └─control
                 ├─100875 /bin/sh /opt/sophos-av/engine/.sav-protect.systemd.stop.sh
                 └─100878 sleep 2

    Feb 22 11:00:13 elearn5 systemd[1]: Starting "Sophos Anti-Virus daemon"...
    Feb 22 11:00:13 elearn5 systemd[1]: Started "Sophos Anti-Virus daemon".

    I think I understand WHAT it does, but I don't understand WHY ...

    Regards

    Uli

  • 0 in reply to DouglasLeeder

    root@elearn5:~# uname -a
    Linux elearn5 4.4.0-91-generic #114-Ubuntu SMP Tue Aug 8 11:56:56 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

    root@elearn5:~# arch
    x86_64

    root@elearn5:~# getconf LONG_BIT
    64

    root@elearn5:~# file -L /sbin/init
    /sbin/init: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=bcaff4962ff2e60856c1058c6b820071f9596c20, stripped

    root@elearn5:~# dpkg --print-architecture
    amd64

  • 0 in reply to Ulrich Agricola

    Hi,

    That wasn't it then.

    cat /proc/mounts

    Lets see if /opt is mounted weirdly?

    Thanks,

    Douglas.

  • 0 in reply to DouglasLeeder

    root@elearn5:~# cat /proc/mounts
    sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
    proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
    udev /dev devtmpfs rw,nosuid,relatime,size=32908016k,nr_inodes=8227004,mode=755 0 0
    devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000 0 0
    tmpfs /run tmpfs rw,nosuid,noexec,relatime,size=6585636k,mode=755 0 0
    /dev/mapper/elearn5--vg-root / ext4 rw,relatime,errors=remount-ro,data=ordered 0 0
    securityfs /sys/kernel/security securityfs rw,nosuid,nodev,noexec,relatime 0 0
    tmpfs /dev/shm tmpfs rw,nosuid,nodev 0 0
    tmpfs /run/lock tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k 0 0
    tmpfs /sys/fs/cgroup tmpfs ro,nosuid,nodev,noexec,mode=755 0 0
    cgroup /sys/fs/cgroup/systemd cgroup rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd 0 0
    pstore /sys/fs/pstore pstore rw,nosuid,nodev,noexec,relatime 0 0
    cgroup /sys/fs/cgroup/memory cgroup rw,nosuid,nodev,noexec,relatime,memory 0 0
    cgroup /sys/fs/cgroup/perf_event cgroup rw,nosuid,nodev,noexec,relatime,perf_event 0 0
    cgroup /sys/fs/cgroup/cpuset cgroup rw,nosuid,nodev,noexec,relatime,cpuset 0 0
    cgroup /sys/fs/cgroup/pids cgroup rw,nosuid,nodev,noexec,relatime,pids 0 0
    cgroup /sys/fs/cgroup/cpu,cpuacct cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct 0 0
    cgroup /sys/fs/cgroup/blkio cgroup rw,nosuid,nodev,noexec,relatime,blkio 0 0
    cgroup /sys/fs/cgroup/devices cgroup rw,nosuid,nodev,noexec,relatime,devices 0 0
    cgroup /sys/fs/cgroup/net_cls,net_prio cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio 0 0
    cgroup /sys/fs/cgroup/freezer cgroup rw,nosuid,nodev,noexec,relatime,freezer 0 0
    cgroup /sys/fs/cgroup/hugetlb cgroup rw,nosuid,nodev,noexec,relatime,hugetlb 0 0
    systemd-1 /proc/sys/fs/binfmt_misc autofs rw,relatime,fd=26,pgrp=1,timeout=0,minproto=5,maxproto=5,direct 0 0
    debugfs /sys/kernel/debug debugfs rw,relatime 0 0
    nfsd /proc/fs/nfsd nfsd rw,relatime 0 0
    mqueue /dev/mqueue mqueue rw,relatime 0 0
    tracefs /sys/kernel/debug/tracing tracefs rw,relatime 0 0
    sunrpc /run/rpc_pipefs rpc_pipefs rw,relatime 0 0
    hugetlbfs /dev/hugepages hugetlbfs rw,relatime 0 0
    fusectl /sys/fs/fuse/connections fusectl rw,relatime 0 0
    /dev/sda2 /boot ext2 rw,relatime,block_validity,barrier,user_xattr,acl 0 0
    lxcfs /var/lib/lxcfs fuse.lxcfs rw,nosuid,nodev,relatime,user_id=0,group_id=0,allow_other 0 0
    //141.78.7.240/nas-a /nas-ei cifs rw,relatime,vers=1.0,cache=strict,username=rza016,domain=EO-ED-NASA,uid=0,noforceuid,gid=0,noforcegid,addr=141.78.7.240,unix,posixpaths,serverino,mapposix,acl,rsize=1048576,wsize=65536,echo_interval=60,actimeo=1 0 0
    //141.78.159.238/nas-a3 /nas-in3 cifs rw,relatime,vers=1.0,cache=strict,username=rza016,domain=SERVER-RZHB-KUE,uid=0,noforceuid,gid=0,noforcegid,addr=141.78.159.238,unix,posixpaths,serverino,mapposix,acl,rsize=1048576,wsize=65536,echo_interval=60,actimeo=1 0 0
    tmpfs /run/user/0 tmpfs rw,nosuid,nodev,relatime,size=6585636k,mode=700 0 0

  • 0 in reply to Ulrich Agricola

    Hi,

     

    Ok, so not a weird mount then.

    Let's try:

    file /opt/sophos-av/bin/savdctl

    file -L /opt/sophos-av/bin/savdctl

    head /opt/sophos-av/bin/savdctl

    strace -f /bin/sh /opt/sophos-av/bin/savdctl start --no-daemon 

  • 0 in reply to DouglasLeeder

    Hi,

    root@elearn5:~# file /opt/sophos-av/bin/savdctl
    /opt/sophos-av/bin/savdctl: symbolic link to _/_pyexec

     

    root@elearn5:~# file -L /opt/sophos-av/bin/savdctl
    /opt/sophos-av/bin/savdctl: empty

     

    root@elearn5:~# head /opt/sophos-av/bin/savdctl -> no output!

     

    root@elearn5:~# strace -f /bin/sh /opt/sophos-av/bin/savdctl start --no-daemon
    execve("/bin/sh", ["/bin/sh", "/opt/sophos-av/bin/savdctl", "start", "--no-daemon"], [/* 21 vars */]) = 0
    brk(NULL)                               = 0x55fa92c75000
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
    access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
    open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
    fstat(3, {st_mode=S_IFREG|0644, st_size=40903, ...}) = 0
    mmap(NULL, 40903, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f138dc10000
    close(3)                                = 0
    access("/etc/ld.so.nohwcap", F_OK)      = -1 ENOENT (No such file or directory)
    open("/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
    read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0P\t\2\0\0\0\0\0"..., 832) = 832
    fstat(3, {st_mode=S_IFREG|0755, st_size=1868984, ...}) = 0
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f138dc0f000
    mmap(NULL, 3971488, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x7f138d62b000
    mprotect(0x7f138d7eb000, 2097152, PROT_NONE) = 0
    mmap(0x7f138d9eb000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1c0000) = 0x7f138d9eb000
    mmap(0x7f138d9f1000, 14752, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x7f138d9f1000
    close(3)                                = 0
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f138dc0e000
    mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f138dc0d000
    arch_prctl(ARCH_SET_FS, 0x7f138dc0e700) = 0
    mprotect(0x7f138d9eb000, 16384, PROT_READ) = 0
    mprotect(0x55fa92b87000, 8192, PROT_READ) = 0
    mprotect(0x7f138dc1a000, 4096, PROT_READ) = 0
    munmap(0x7f138dc10000, 40903)           = 0
    getuid()                                = 0
    getgid()                                = 0
    getpid()                                = 146114
    rt_sigaction(SIGCHLD, {0x55fa9297b540, ~[RTMIN RT_1], SA_RESTORER, 0x7f138d6604b0}, NULL, 8) = 0
    geteuid()                               = 0
    brk(NULL)                               = 0x55fa92c75000
    brk(0x55fa92c96000)                     = 0x55fa92c96000
    getppid()                               = 146112
    stat("/root", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
    stat(".", {st_mode=S_IFDIR|0700, st_size=4096, ...}) = 0
    open("/opt/sophos-av/bin/savdctl", O_RDONLY) = 3
    fcntl(3, F_DUPFD, 10)                   = 10
    close(3)                                = 0
    fcntl(10, F_SETFD, FD_CLOEXEC)          = 0
    geteuid()                               = 0
    getegid()                               = 0
    rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGINT, {0x55fa9297b540, ~[RTMIN RT_1], SA_RESTORER, 0x7f138d6604b0}, NULL, 8) = 0
    rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGQUIT, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f138d6604b0}, NULL, 8) = 0
    rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGTERM, {SIG_DFL, ~[RTMIN RT_1], SA_RESTORER, 0x7f138d6604b0}, NULL, 8) = 0
    read(10, "", 8192)                      = 0
    exit_group(0)                           = ?
    +++ exited with 0 +++

     

    Sorry to take so much of your time!

    Uli

  • 0 in reply to Ulrich Agricola

    Hi,

     

    That looks very bad -  _/_pyexec should have be a shell script to run SAV programs.

    You'll need to reinstall but uninstalling might be rather hard, depending on what else didn't get installed properly.

    I don't know why that file is empty.

     

  • 0 in reply to Ulrich Agricola

    There's a second machine, where Sophos works properly. Does it make sense, to copy the missing file(s)?

  • 0 in reply to Ulrich Agricola

    Hi,

     

    You could try that - the file has the same contents.

     

    Thanks,

    Douglas.

  • 0 in reply to Ulrich Agricola

    Hallo Uli and Douglas,

    please excuse my chiming in as I can't contribute to the solution but this post about the intended use caught my eye.
    Isn't savscan rather expensive for this purpose and wouldn't SAVDI a better option?

    Christian 

  • 0 in reply to DouglasLeeder

    Hi Douglas,

    I copied the file, and

    /opt/sophos-av/bin/savdctl start

    seems to work normal. Now I'll have to do some testing ...

     

    Thanks a lot for your support so far!

    Regards

    Uli

Reply Children
No Data
Unfiltered HTML