This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos for Linux savscan on-demand fails to move detected file to quarantine folder location

I have been using Sophos for Linux for a few years now on a large website with a lot of uploads. We noticed that Sophos was no longer moving files to quarantine after we made infrastructure changes, such as making another Linux container with Redis to help serve the files from a host shared folder location. ClamAV has no problem with this change as well as anything accessing the folder from a SAMBA share.

Example of what SAVSCAN spits out while scanning:

➜ scripts ./scansophos.sh >>> PUA 'Keygen' (of type Hacktool) found in file /storage/uploads/[FILENAME].zip/Sandboxie 5.22 Final + patch -Crackingpatching.com/patch/keygen_by_uuk_mod.exe

Quarantined /storage/uploads/[FILENAME].zip successfully

Moving /storage/uploads/[FILENAME].zip to /storage/quarantine/ failed

Scans runs as root and runs with these parameters:

savscan $scan_uploads -nc -ss -archive -all -suspicious -pua --quarantine -move=$virus_vault -p=$tmp_log_file

I've adjusted permissions in relevant folders, reinstalled SophosAV, made entirely new containers with Ubuntu 18.04 LTS and resetup everything on that without success.

I'm frankly at a loss. Sophos for Linux is my favorite Linux AV, and I wish to still use it (as well as move to the paid server product, if command line tools work similarly). I contribute undetected malware samples to Sophos often as a way to give back to the Linux scanner being free. I'd appreciate any help, suggestions, etc. Thank you.



This thread was automatically locked due to age.
  • Hello Mike Sulsenti,

    I'm neither using -move nor --quarantine (actually I don't use savscan for this kind of task). Can't say how or why it could have failed to move. Perhaps has some troubleshooting tips.

    Christian

  • Hi,

     

    I'm afraid that isn't code I work on (sweep), so I don't know the answer. You could try running under strace -f to see what the rename is attempting. I'd hope that it tries rename, and falls back to copy/delete if the destination is on a different mount point to the source.

    In terms of free vs. paid, they are the same code.

    Thanks,

    Douglas.