This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

savdid vs. savscan vs. savscand with varying scan results

I've recently installed the free sav version on a linux server to evaluate as a potential solution for scanning emails for malware.

I did notice a few "interesting" behavior differences though and I hope someone could explain those to me:

If sav-protect.service is stopped, scanning a known malware file (https://www.virustotal.com/#/file/82ca635333f13e229a0b4562b1c9daab9c3ba6bd932c334940ef7ca1ad66afbb/detection) does tell me that the file is clean:

# savscan --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive /tmp/v/DOC\ 47520_IMG.zip
SAVScan virus detection utility
Version 5.47.0 [Linux/AMD64]
Virus data version 5.55, September 2018
Includes detection for 25679169 viruses, Trojans and worms
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.

System time 03:55:32 AM, System date 23 September 2018
Command line qualifiers are: --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive

IDE directory is: /opt/sophos-av/lib/sav

[IDE messages removed]


Quick Scanning


1 file scanned in 16 seconds.
No viruses were discovered.
End of Scan.
#

Running the same scan with the sav-protect.service running, tells a different story:

# systemctl start sav-protect.service
# savscan --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive /tmp/v/DOC\ 47520_IMG.zip

SAVScan virus detection utility
Version 5.47.0 [Linux/AMD64]
Virus data version 5.55, September 2018
Includes detection for 25679169 viruses, Trojans and worms
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.

System time 03:57:20 AM, System date 23 September 2018
Command line qualifiers are: --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive

IDE directory is: /opt/sophos-av/lib/sav

[IDE messages removed]

Quick Scanning

>>> Virus 'Mal/Generic-S' found in file /tmp/v/DOC 47520_IMG.zip/DOC 47520_IMG.exe [root,root,644]
>>> Virus 'Mal/Generic-S' found in file /tmp/v/DOC 47520_IMG.zip [root,root,644]

1 file scanned in 16 seconds.
2 viruses were discovered.
1 file out of 1 was infected.
If you need further advice regarding any detections please visit our
Threat Center at: www.sophos.com/.../threat-center.aspx
End of Scan.
#

So this is better. But why does the savscan tool need the savscand running for this file to be detected as a virus? The eicar.com testfile is detected regardless of the savscand running or not.

The second question now is, why does the sav direct interface _not_ recognize the virus in the same file?

# socat stdio unix-connect:/var/run/savdi/sssp.sock
OK SSSP/1.0
SSSP/1.0
ACC 5BA6ED9E/1
SCANFILE /tmp/v/eicar.com
ACC 5BA6ED9E/2
VIRUS EICAR-AV-Test /tmp/v/eicar.com
OK 0203 /tmp/v/eicar.com
DONE OK 0203 Virus found during virus scan

SCANFILE /tmp/v/DOC%2047520_IMG.zip
ACC 5BA6ED9E/3
DONE OK 0000 The function call succeeded

BYE
BYE
#

So what gives? eicar found, but a real virus isn't? Savdi is configures to scan in archives and all other files using the GrpSuper configuration, so it shouldn't be that.

QUERY SAVI gives the following options that a scan is running with:

{'AS3': {'type': 'U32', 'value': 1},
 'ASPack': {'type': 'U32', 'value': 1},
 'AXml': {'type': 'U32', 'value': 1},
 'Access': {'type': 'U32', 'value': 1},
 'ActiveMimeHandling': {'type': 'U32', 'value': 1},
 'AllowPartialVirusData': {'type': 'U32', 'value': 0},
 'AppleSingle': {'type': 'U32', 'value': 1},
 'ApplicationControl': {'type': 'U32', 'value': 0},
 'ArjDecompression': {'type': 'U32', 'value': 1},
 'Base64': {'type': 'U32', 'value': 1},
 'BehaviourMalware': {'type': 'U32', 'value': 1},
 'BehaviourSuspicious': {'type': 'U32', 'value': 0},
 'Block': {'type': 'U32', 'value': 1},
 'Brotli': {'type': 'U32', 'value': 1},
 'BuffCacheSize': {'type': 'U16', 'value': 4},
 'Bzip2': {'type': 'U32', 'value': 1},
 'CleanBmp': {'type': 'U32', 'value': 1},
 'CleanGif': {'type': 'U32', 'value': 1},
 'CleanJpeg': {'type': 'U32', 'value': 1},
 'CleanMp3': {'type': 'U32', 'value': 1},
 'CleanMpeg': {'type': 'U32', 'value': 1},
 'CleanPng': {'type': 'U32', 'value': 1},
 'CleanRiff': {'type': 'U32', 'value': 1},
 'CleanTiff': {'type': 'U32', 'value': 1},
 'CloudSandbox': {'type': 'U32', 'value': 0},
 'CmzDecompression': {'type': 'U32', 'value': 1},
 'ConcatenatedArchives': {'type': 'U32', 'value': 0},
 'CustomExtract': {'type': 'U32', 'value': 1},
 'DecomprSizeCb': {'type': 'U32', 'value': 0},
 'DecompressVBA5': {'type': 'U32', 'value': 1},
 'Deflate': {'type': 'U32', 'value': 1},
 'DelVBA5Project': {'type': 'U32', 'value': 1},
 'DetectSecondaries': {'type': 'U32', 'value': 0},
 'Dex': {'type': 'U32', 'value': 1},
 'Dmg': {'type': 'U32', 'value': 0},
 'DynamicDecompression': {'type': 'U32', 'value': 1},
 'Elf': {'type': 'U32', 'value': 1},
 'Emulation': {'type': 'U32', 'value': 1},
 'EnableAllowedLists': {'type': 'U32', 'value': 0},
 'EnableAutoStop': {'type': 'U32', 'value': 0},
 'EnableOSSpecificLoad': {'type': 'U32', 'value': 0},
 'EnablePdfAutoStop': {'type': 'U32', 'value': 0},
 'Epoc': {'type': 'U32', 'value': 1},
 'ExcelFormulaHandling': {'type': 'U32', 'value': 1},
 'ExecFileDisinfection': {'type': 'U32', 'value': 1},
 'ExtensiveScan': {'type': 'U32', 'value': 0},
 'Fsg': {'type': 'U32', 'value': 1},
 'FullMacroSweep': {'type': 'U32', 'value': 0},
 'FullPdf': {'type': 'U32', 'value': 0},
 'FullSweep': {'type': 'U32', 'value': 0},
 'GZipDecompression': {'type': 'U32', 'value': 1},
 'GrpArchiveUnpack': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpClean': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpDisinfect': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpExecutable': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpInternet': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpMSOffice': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpMisc': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpSelfExtract': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpSuper': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpWebArchive': {'type': 'OPTION_GROUP', 'value': '2'},
 'GrpWebEncoding': {'type': 'OPTION_GROUP', 'value': '2'},
 'Guid': {'type': 'U32', 'value': 1},
 'HelpHandling': {'type': 'U32', 'value': 1},
 'Hfs': {'type': 'U32', 'value': 0},
 'HqxDecompression': {'type': 'U32', 'value': 1},
 'Html': {'type': 'U32', 'value': 1},
 'Http': {'type': 'U32', 'value': 1},
 'ISCabinet': {'type': 'U32', 'value': 1},
 'ISCabinetFull': {'type': 'U32', 'value': 0},
 'ISO9660': {'type': 'U32', 'value': 0},
 'ITSS': {'type': 'U32', 'value': 1},
 'IdeDir': {'type': 'OPTION_STRING', 'value': '/opt/sophos-av/lib/sav'},
 'IgnoreTemplateBit': {'type': 'U32', 'value': 1},
 'JSEmul': {'type': 'U32', 'value': 1},
 'Java': {'type': 'U32', 'value': 1},
 'LZMAAlone': {'type': 'U32', 'value': 1},
 'Lha': {'type': 'U32', 'value': 1},
 'LoopBackEnabled': {'type': 'U32', 'value': 1},
 'MLEnabled': {'type': 'U32', 'value': 0},
 'MSCabinet': {'type': 'U32', 'value': 1},
 'MSCompress': {'type': 'U32', 'value': 1},
 'MachO': {'type': 'U32', 'value': 1},
 'MarkTampered': {'type': 'U32', 'value': 1},
 'MaxIntRecDepth': {'type': 'U16', 'value': 25},
 'MaxRecursionDepth': {'type': 'U16', 'value': 16},
 'MaxSampleSubmitSize': {'type': 'U16', 'value': 10240},
 'MbinDecompression': {'type': 'U32', 'value': 1},
 'Mbox': {'type': 'U32', 'value': 1},
 'Mime': {'type': 'U32', 'value': 1},
 'MimeEmbedLimit': {'type': 'U16', 'value': 25},
 'MimeEmbedLines': {'type': 'U16', 'value': 500},
 'MimeEmbedded': {'type': 'U32', 'value': 1},
 'MimeReScan': {'type': 'U32', 'value': 2},
 'Msi': {'type': 'U32', 'value': 0},
 'NamespaceSupport': {'type': 'U32', 'value': 0},
 'OF95DecryptHandling': {'type': 'U32', 'value': 1},
 'OLE2Handling': {'type': 'U32', 'value': 1},
 'Odoc': {'type': 'U32', 'value': 1},
 'Office2001Handling': {'type': 'U32', 'value': 1},
 'Office97Decrypt': {'type': 'U32', 'value': 1},
 'Ole2FileDisinfection': {'type': 'U32', 'value': 1},
 'OleDataMsoHandling': {'type': 'U32', 'value': 1},
 'OleRawHandling': {'type': 'U32', 'value': 1},
 'OleScriptHandling': {'type': 'U32', 'value': 1},
 'OpenMacRf': {'type': 'U32', 'value': 1},
 'OutlookExpress': {'type': 'U32', 'value': 1},
 'Oxml': {'type': 'U32', 'value': 1},
 'PECompact': {'type': 'U32', 'value': 1},
 'PEHandling': {'type': 'U32', 'value': 1},
 'PalmPilotHandling': {'type': 'U32', 'value': 1},
 'Pdf': {'type': 'U32', 'value': 1},
 'PeEmulator': {'type': 'U32', 'value': 1},
 'Plist': {'type': 'U32', 'value': 1},
 'PowerPointEmbeddedHandling': {'type': 'U32', 'value': 1},
 'PowerPointMacroHandling': {'type': 'U32', 'value': 1},
 'ProductCLI': {'type': 'U32', 'value': 0},
 'ProductDesktop': {'type': 'U32', 'value': 0},
 'ProductGateway': {'type': 'U32', 'value': 0},
 'ProductMobile': {'type': 'U32', 'value': 1},
 'ProductUnspecified': {'type': 'U32', 'value': 1},
 'ProductWeb': {'type': 'U32', 'value': 0},
 'ProjectHandling': {'type': 'U32', 'value': 1},
 'PuaDetection': {'type': 'U32', 'value': 0},
 'RarDecompression': {'type': 'U32', 'value': 1},
 'Rpm': {'type': 'U32', 'value': 1},
 'Rtf': {'type': 'U32', 'value': 1},
 'SXLAsynchDelay': {'type': 'U16', 'value': 0},
 'SXLAsynchQueueSize': {'type': 'U16', 'value': 200},
 'SXLAsynchThreadCount': {'type': 'U16', 'value': 1},
 'SXLCacheEnable': {'type': 'U32', 'value': 0},
 'SXLCacheFileStub': {'type': 'OPTION_STRING', 'value': ''},
 'SXLCacheSize': {'type': 'U16', 'value': 20},
 'SXLLiveProtection': {'type': 'U32', 'value': 0},
 'SXLTimeout': {'type': 'U16', 'value': 250},
 'SampleSubmit': {'type': 'U32', 'value': 0},
 'Saveset': {'type': 'U32', 'value': 0},
 'ScrapObjectHandling': {'type': 'U32', 'value': 1},
 'Sdoc': {'type': 'U32', 'value': 1},
 'SfxArchives': {'type': 'U32', 'value': 1},
 'Sis': {'type': 'U32', 'value': 1},
 'Skip': {'type': 'U32', 'value': 1},
 'SrpStreamHandling': {'type': 'U32', 'value': 1},
 'StorageDetOnly': {'type': 'U32', 'value': 0},
 'StorageReport': {'type': 'U32', 'value': 0},
 'StorageReportAddtolist': {'type': 'U32', 'value': 0},
 'StorageReportAll': {'type': 'U32', 'value': 0},
 'StrictPdf': {'type': 'U32', 'value': 0},
 'StrongPdf': {'type': 'U32', 'value': 0},
 'Stuffit': {'type': 'U32', 'value': 0},
 'Swf': {'type': 'U32', 'value': 1},
 'Szip': {'type': 'U32', 'value': 1},
 'TarDecompression': {'type': 'U32', 'value': 1},
 'ThreatAccumulation': {'type': 'U32', 'value': 0},
 'TnefAttachmentHandling': {'type': 'U32', 'value': 1},
 'TnefEmbedHandling': {'type': 'U32', 'value': 0},
 'TrueFileTypeDetection': {'type': 'U32', 'value': 0},
 'TrueFileTypeDetectionLevel': {'type': 'U16', 'value': 1},
 'UTF16': {'type': 'U32', 'value': 1},
 'UnixArchive': {'type': 'U32', 'value': 1},
 'Upx': {'type': 'U32', 'value': 1},
 'UueDecompression': {'type': 'U32', 'value': 1},
 'VBA3Handling': {'type': 'U32', 'value': 1},
 'VBA5Handling': {'type': 'U32', 'value': 1},
 'VbFiltering': {'type': 'U32', 'value': 1},
 'Vba5Dir': {'type': 'U32', 'value': 0},
 'Vba5p': {'type': 'U32', 'value': 1},
 'VbaOnly': {'type': 'U32', 'value': 1},
 'VbaTable': {'type': 'U32', 'value': 1},
 'Vbe': {'type': 'U32', 'value': 1},
 'VirusDataDir': {'type': 'OPTION_STRING', 'value': '/opt/sophos-av/lib/sav'},
 'VirusDataIntegrityChecking': {'type': 'U32', 'value': 0},
 'VirusDataName': {'type': 'OPTION_STRING', 'value': 'vdl'},
 'VisioEmbedHandling': {'type': 'U32', 'value': 0},
 'VisioFileHandling': {'type': 'U32', 'value': 1},
 'WordB': {'type': 'U32', 'value': 1},
 'Xar': {'type': 'U32', 'value': 1},
 'Xml': {'type': 'U32', 'value': 0},
 'XmlMaxExtStrCnt': {'type': 'TYPE11', 'value': '1000000'},
 'XmlOdoc': {'type': 'U32', 'value': 1},
 'XsumOnDiskPath': {'type': 'OPTION_STRING', 'value': ''},
 'ZipDecompression': {'type': 'U32', 'value': 1},
 'ZipUseChd': {'type': 'U32', 'value': 1}}

Any ideas?



This thread was automatically locked due to age.
  • Hello Martin Michelsen,

    as far as I can see scanning for suspicious files is turned off for both case #1 (-suspicious off by default) and #3 (BehaviourSuspicious = 0) that might explain why it doesn't trigger. Can't say whether savscan somehow "cooperates" with savscand (case #2), perhaps can give some information.

    Christian

  • Hello Christian,

     

    thank you for your attempt at figuring it out. :-)

    I had already considered BehaviourSuspicious as a source of the different scanning results but based on the KB article https://community.sophos.com/kb/en-us/35504 I had ruled it out as the virus was found as "Mal/Generic-S", which means malware and suspicious files are tagged with the "Sus/" prefix.

    Scanning with the session option BehaviourSuspicious set to 1 did not make a difference either.

    So to summarize: Unfortunately it wasn't the Suspicious scanning behavior.

    Let's hope someone else comes up with the right suggestion. :-)

    Thanks,

     Martin

  • Hello Martin,

    I didn't test and I agree with you regarding Mal/ vs. Sus/ but OTOH Mal/Generic-S is not only, as its name implies, a generic detection but I daresay the generic detection that in addition might or might not bring a Live Protection (SXL) lookup about.
    Looks like a submission through VirusTotal doesn't result in a detailed analysis. One of the recommended actions in response to a Mal/Generic-S detection is to submit the sample, in most (true positive) cases the result is a specific detection. Of course this does not explain the differences.

    Christian

  • Fair enough. Mal/Generic-S needing Live Protection is a good point. The description of that at https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Generic-S/detailed-analysis.aspx hints at SXL being useful.

     

    Interestingly, something changed over night. Savscan now returns two different hits. The .zip container I clawed out of a mailspool still is Mal/Generic-S but the .exe payload now has a name Mal/Fareit-Q:

    >>> Virus 'Mal/Fareit-Q' found in file /tmp/v/DOC 47520_IMG.zip/DOC 47520_IMG.exe
    >>> Virus 'Mal/Generic-S' found in file /tmp/v/DOC 47520_IMG.zip

    Does not help me at all though, sssp will still not recognize the sample.

    [Update] After restarting savdid, the file is _now_ being recognized via sssp as well:

    # socat stdio unix-connect:/var/run/savdi/sssp.sock
    OK SSSP/1.0
    SSSP/1.0
    ACC 5BA8E74C/1
    SCANFILE /tmp/v/DOC 47520_IMG.zip
    ACC 5BA8E74C/2
    VIRUS Mal/Fareit-Q /tmp/v/DOC%2047520_IMG.zip/DOC%2047520_IMG.exe
    OK 0203 /tmp/v/DOC%2047520_IMG.zip
    DONE OK 0203 Virus found during virus scan

    BYE
    BYE

     

    So to summarize:

    • There is a difference between on-demand scanning with sav-protect enabled and disabled. The Mal/Generic-S variant is only found with savd running while the specific Mal/Fareit-Q variant is found regardless of the savd daemon running or not.
    • Scanning via the SSSP socket using savdid does seem to only find specific known malware and does not seem to find Generic variants. This is regardless of savd running or not.
    • It seemed that savdid needed to be restarted to pick up virus definition updates? That would be in-line with the manual at "1.14 Virus and Engine Updates" but it appears to me that this would imply that for savdid does load the virus definitions from disk and does not actually communicate with savd at all. An strace seems to confirm that.

    That would explain why a Generic variant is not detected at all as this seems to be require savd running. But that would also mean that sssp will not support heuristics and/or LiveProtection, one of the main reasons I was evaluating Sophos-AV.

    Is my understanding correct? Or should I better talk to pre-sales?

     

    Thanks,

     Martin

  • The only thing I can think of is LiveProtection. 

     

    If sav-protect (savd) is inactive then savscan will turn LiveProtection off.

     

    I imagine savdid has LiveProtection off as well. (I'm afraid I don't really know much about savdid).

  • Hi Douglas,

     

    that seems to be in line with my observation just now. savd running finds the generic variant, savd stopped will not find it anymore. That would point at LiveProtection and thank you for confirming that LiveProtection needs savd running.

    Querying the SAVI server for it's current settings yields the following:

    'SXLLiveProtection': {'type': 'U32', 'value': 0}

    That indicates that LiveProtection is indeed disabled.

    Interestingly, it seems not possible to enable LiveProtection. Setting savists: SXLLiveProtection 1 in the config file gives a savdid that starts but does not reply to any queries.

    Setting it at runtime via OPTIONS and then sending savists: SXLLiveProtection 1 gives an "DONE FAIL 0057 Invalid argument supplied" error.

    So I think we have indeed explained _why_ the Generic malware is not found.

    The remaining question is now how to enable LiveProtection with savdi.

     

    But thanks so far, at least I now understand what is going on, which is a start.

  • Unfortunately various other options, for e.g. DNS have to be set before the virus data is loaded, and I don't know if savdi supports those.

  • I see. Do you know if there's any documentation I might have missed searching? Or is there someone you would recommend who'd know?