I've recently installed the free sav version on a linux server to evaluate as a potential solution for scanning emails for malware.
I did notice a few "interesting" behavior differences though and I hope someone could explain those to me:
If sav-protect.service is stopped, scanning a known malware file (https://www.virustotal.com/#/file/82ca635333f13e229a0b4562b1c9daab9c3ba6bd932c334940ef7ca1ad66afbb/detection) does tell me that the file is clean:
# savscan --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive /tmp/v/DOC\ 47520_IMG.zip
SAVScan virus detection utility
Version 5.47.0 [Linux/AMD64]
Virus data version 5.55, September 2018
Includes detection for 25679169 viruses, Trojans and worms
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.
System time 03:55:32 AM, System date 23 September 2018
Command line qualifiers are: --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive
IDE directory is: /opt/sophos-av/lib/sav
[IDE messages removed]
Quick Scanning
1 file scanned in 16 seconds.
No viruses were discovered.
End of Scan.
#
Running the same scan with the sav-protect.service running, tells a different story:
# systemctl start sav-protect.service
# savscan --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive /tmp/v/DOC\ 47520_IMG.zipSAVScan virus detection utility
Version 5.47.0 [Linux/AMD64]
Virus data version 5.55, September 2018
Includes detection for 25679169 viruses, Trojans and worms
Copyright (c) 1989-2018 Sophos Limited. All rights reserved.
System time 03:57:20 AM, System date 23 September 2018
Command line qualifiers are: --no-reset-atime --stay-on-filesystem --stay-on-machine --show-file-details -archive
IDE directory is: /opt/sophos-av/lib/sav
[IDE messages removed]
Quick Scanning
>>> Virus 'Mal/Generic-S' found in file /tmp/v/DOC 47520_IMG.zip/DOC 47520_IMG.exe [root,root,644]
>>> Virus 'Mal/Generic-S' found in file /tmp/v/DOC 47520_IMG.zip [root,root,644]
1 file scanned in 16 seconds.
2 viruses were discovered.
1 file out of 1 was infected.
If you need further advice regarding any detections please visit our
Threat Center at: www.sophos.com/.../threat-center.aspx
End of Scan.
#
So this is better. But why does the savscan tool need the savscand running for this file to be detected as a virus? The eicar.com testfile is detected regardless of the savscand running or not.
The second question now is, why does the sav direct interface _not_ recognize the virus in the same file?
# socat stdio unix-connect:/var/run/savdi/sssp.sock
OK SSSP/1.0
SSSP/1.0
ACC 5BA6ED9E/1
SCANFILE /tmp/v/eicar.com
ACC 5BA6ED9E/2
VIRUS EICAR-AV-Test /tmp/v/eicar.com
OK 0203 /tmp/v/eicar.com
DONE OK 0203 Virus found during virus scan
SCANFILE /tmp/v/DOC%2047520_IMG.zip
ACC 5BA6ED9E/3
DONE OK 0000 The function call succeeded
BYE
BYE
#
So what gives? eicar found, but a real virus isn't? Savdi is configures to scan in archives and all other files using the GrpSuper configuration, so it shouldn't be that.
QUERY SAVI gives the following options that a scan is running with:
{'AS3': {'type': 'U32', 'value': 1},
'ASPack': {'type': 'U32', 'value': 1},
'AXml': {'type': 'U32', 'value': 1},
'Access': {'type': 'U32', 'value': 1},
'ActiveMimeHandling': {'type': 'U32', 'value': 1},
'AllowPartialVirusData': {'type': 'U32', 'value': 0},
'AppleSingle': {'type': 'U32', 'value': 1},
'ApplicationControl': {'type': 'U32', 'value': 0},
'ArjDecompression': {'type': 'U32', 'value': 1},
'Base64': {'type': 'U32', 'value': 1},
'BehaviourMalware': {'type': 'U32', 'value': 1},
'BehaviourSuspicious': {'type': 'U32', 'value': 0},
'Block': {'type': 'U32', 'value': 1},
'Brotli': {'type': 'U32', 'value': 1},
'BuffCacheSize': {'type': 'U16', 'value': 4},
'Bzip2': {'type': 'U32', 'value': 1},
'CleanBmp': {'type': 'U32', 'value': 1},
'CleanGif': {'type': 'U32', 'value': 1},
'CleanJpeg': {'type': 'U32', 'value': 1},
'CleanMp3': {'type': 'U32', 'value': 1},
'CleanMpeg': {'type': 'U32', 'value': 1},
'CleanPng': {'type': 'U32', 'value': 1},
'CleanRiff': {'type': 'U32', 'value': 1},
'CleanTiff': {'type': 'U32', 'value': 1},
'CloudSandbox': {'type': 'U32', 'value': 0},
'CmzDecompression': {'type': 'U32', 'value': 1},
'ConcatenatedArchives': {'type': 'U32', 'value': 0},
'CustomExtract': {'type': 'U32', 'value': 1},
'DecomprSizeCb': {'type': 'U32', 'value': 0},
'DecompressVBA5': {'type': 'U32', 'value': 1},
'Deflate': {'type': 'U32', 'value': 1},
'DelVBA5Project': {'type': 'U32', 'value': 1},
'DetectSecondaries': {'type': 'U32', 'value': 0},
'Dex': {'type': 'U32', 'value': 1},
'Dmg': {'type': 'U32', 'value': 0},
'DynamicDecompression': {'type': 'U32', 'value': 1},
'Elf': {'type': 'U32', 'value': 1},
'Emulation': {'type': 'U32', 'value': 1},
'EnableAllowedLists': {'type': 'U32', 'value': 0},
'EnableAutoStop': {'type': 'U32', 'value': 0},
'EnableOSSpecificLoad': {'type': 'U32', 'value': 0},
'EnablePdfAutoStop': {'type': 'U32', 'value': 0},
'Epoc': {'type': 'U32', 'value': 1},
'ExcelFormulaHandling': {'type': 'U32', 'value': 1},
'ExecFileDisinfection': {'type': 'U32', 'value': 1},
'ExtensiveScan': {'type': 'U32', 'value': 0},
'Fsg': {'type': 'U32', 'value': 1},
'FullMacroSweep': {'type': 'U32', 'value': 0},
'FullPdf': {'type': 'U32', 'value': 0},
'FullSweep': {'type': 'U32', 'value': 0},
'GZipDecompression': {'type': 'U32', 'value': 1},
'GrpArchiveUnpack': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpClean': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpDisinfect': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpExecutable': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpInternet': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpMSOffice': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpMisc': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpSelfExtract': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpSuper': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpWebArchive': {'type': 'OPTION_GROUP', 'value': '2'},
'GrpWebEncoding': {'type': 'OPTION_GROUP', 'value': '2'},
'Guid': {'type': 'U32', 'value': 1},
'HelpHandling': {'type': 'U32', 'value': 1},
'Hfs': {'type': 'U32', 'value': 0},
'HqxDecompression': {'type': 'U32', 'value': 1},
'Html': {'type': 'U32', 'value': 1},
'Http': {'type': 'U32', 'value': 1},
'ISCabinet': {'type': 'U32', 'value': 1},
'ISCabinetFull': {'type': 'U32', 'value': 0},
'ISO9660': {'type': 'U32', 'value': 0},
'ITSS': {'type': 'U32', 'value': 1},
'IdeDir': {'type': 'OPTION_STRING', 'value': '/opt/sophos-av/lib/sav'},
'IgnoreTemplateBit': {'type': 'U32', 'value': 1},
'JSEmul': {'type': 'U32', 'value': 1},
'Java': {'type': 'U32', 'value': 1},
'LZMAAlone': {'type': 'U32', 'value': 1},
'Lha': {'type': 'U32', 'value': 1},
'LoopBackEnabled': {'type': 'U32', 'value': 1},
'MLEnabled': {'type': 'U32', 'value': 0},
'MSCabinet': {'type': 'U32', 'value': 1},
'MSCompress': {'type': 'U32', 'value': 1},
'MachO': {'type': 'U32', 'value': 1},
'MarkTampered': {'type': 'U32', 'value': 1},
'MaxIntRecDepth': {'type': 'U16', 'value': 25},
'MaxRecursionDepth': {'type': 'U16', 'value': 16},
'MaxSampleSubmitSize': {'type': 'U16', 'value': 10240},
'MbinDecompression': {'type': 'U32', 'value': 1},
'Mbox': {'type': 'U32', 'value': 1},
'Mime': {'type': 'U32', 'value': 1},
'MimeEmbedLimit': {'type': 'U16', 'value': 25},
'MimeEmbedLines': {'type': 'U16', 'value': 500},
'MimeEmbedded': {'type': 'U32', 'value': 1},
'MimeReScan': {'type': 'U32', 'value': 2},
'Msi': {'type': 'U32', 'value': 0},
'NamespaceSupport': {'type': 'U32', 'value': 0},
'OF95DecryptHandling': {'type': 'U32', 'value': 1},
'OLE2Handling': {'type': 'U32', 'value': 1},
'Odoc': {'type': 'U32', 'value': 1},
'Office2001Handling': {'type': 'U32', 'value': 1},
'Office97Decrypt': {'type': 'U32', 'value': 1},
'Ole2FileDisinfection': {'type': 'U32', 'value': 1},
'OleDataMsoHandling': {'type': 'U32', 'value': 1},
'OleRawHandling': {'type': 'U32', 'value': 1},
'OleScriptHandling': {'type': 'U32', 'value': 1},
'OpenMacRf': {'type': 'U32', 'value': 1},
'OutlookExpress': {'type': 'U32', 'value': 1},
'Oxml': {'type': 'U32', 'value': 1},
'PECompact': {'type': 'U32', 'value': 1},
'PEHandling': {'type': 'U32', 'value': 1},
'PalmPilotHandling': {'type': 'U32', 'value': 1},
'Pdf': {'type': 'U32', 'value': 1},
'PeEmulator': {'type': 'U32', 'value': 1},
'Plist': {'type': 'U32', 'value': 1},
'PowerPointEmbeddedHandling': {'type': 'U32', 'value': 1},
'PowerPointMacroHandling': {'type': 'U32', 'value': 1},
'ProductCLI': {'type': 'U32', 'value': 0},
'ProductDesktop': {'type': 'U32', 'value': 0},
'ProductGateway': {'type': 'U32', 'value': 0},
'ProductMobile': {'type': 'U32', 'value': 1},
'ProductUnspecified': {'type': 'U32', 'value': 1},
'ProductWeb': {'type': 'U32', 'value': 0},
'ProjectHandling': {'type': 'U32', 'value': 1},
'PuaDetection': {'type': 'U32', 'value': 0},
'RarDecompression': {'type': 'U32', 'value': 1},
'Rpm': {'type': 'U32', 'value': 1},
'Rtf': {'type': 'U32', 'value': 1},
'SXLAsynchDelay': {'type': 'U16', 'value': 0},
'SXLAsynchQueueSize': {'type': 'U16', 'value': 200},
'SXLAsynchThreadCount': {'type': 'U16', 'value': 1},
'SXLCacheEnable': {'type': 'U32', 'value': 0},
'SXLCacheFileStub': {'type': 'OPTION_STRING', 'value': ''},
'SXLCacheSize': {'type': 'U16', 'value': 20},
'SXLLiveProtection': {'type': 'U32', 'value': 0},
'SXLTimeout': {'type': 'U16', 'value': 250},
'SampleSubmit': {'type': 'U32', 'value': 0},
'Saveset': {'type': 'U32', 'value': 0},
'ScrapObjectHandling': {'type': 'U32', 'value': 1},
'Sdoc': {'type': 'U32', 'value': 1},
'SfxArchives': {'type': 'U32', 'value': 1},
'Sis': {'type': 'U32', 'value': 1},
'Skip': {'type': 'U32', 'value': 1},
'SrpStreamHandling': {'type': 'U32', 'value': 1},
'StorageDetOnly': {'type': 'U32', 'value': 0},
'StorageReport': {'type': 'U32', 'value': 0},
'StorageReportAddtolist': {'type': 'U32', 'value': 0},
'StorageReportAll': {'type': 'U32', 'value': 0},
'StrictPdf': {'type': 'U32', 'value': 0},
'StrongPdf': {'type': 'U32', 'value': 0},
'Stuffit': {'type': 'U32', 'value': 0},
'Swf': {'type': 'U32', 'value': 1},
'Szip': {'type': 'U32', 'value': 1},
'TarDecompression': {'type': 'U32', 'value': 1},
'ThreatAccumulation': {'type': 'U32', 'value': 0},
'TnefAttachmentHandling': {'type': 'U32', 'value': 1},
'TnefEmbedHandling': {'type': 'U32', 'value': 0},
'TrueFileTypeDetection': {'type': 'U32', 'value': 0},
'TrueFileTypeDetectionLevel': {'type': 'U16', 'value': 1},
'UTF16': {'type': 'U32', 'value': 1},
'UnixArchive': {'type': 'U32', 'value': 1},
'Upx': {'type': 'U32', 'value': 1},
'UueDecompression': {'type': 'U32', 'value': 1},
'VBA3Handling': {'type': 'U32', 'value': 1},
'VBA5Handling': {'type': 'U32', 'value': 1},
'VbFiltering': {'type': 'U32', 'value': 1},
'Vba5Dir': {'type': 'U32', 'value': 0},
'Vba5p': {'type': 'U32', 'value': 1},
'VbaOnly': {'type': 'U32', 'value': 1},
'VbaTable': {'type': 'U32', 'value': 1},
'Vbe': {'type': 'U32', 'value': 1},
'VirusDataDir': {'type': 'OPTION_STRING', 'value': '/opt/sophos-av/lib/sav'},
'VirusDataIntegrityChecking': {'type': 'U32', 'value': 0},
'VirusDataName': {'type': 'OPTION_STRING', 'value': 'vdl'},
'VisioEmbedHandling': {'type': 'U32', 'value': 0},
'VisioFileHandling': {'type': 'U32', 'value': 1},
'WordB': {'type': 'U32', 'value': 1},
'Xar': {'type': 'U32', 'value': 1},
'Xml': {'type': 'U32', 'value': 0},
'XmlMaxExtStrCnt': {'type': 'TYPE11', 'value': '1000000'},
'XmlOdoc': {'type': 'U32', 'value': 1},
'XsumOnDiskPath': {'type': 'OPTION_STRING', 'value': ''},
'ZipDecompression': {'type': 'U32', 'value': 1},
'ZipUseChd': {'type': 'U32', 'value': 1}}
Any ideas?
This thread was automatically locked due to age.