I have been using Sophos for Linux for a few years now on a large website with a lot of uploads. We noticed that Sophos was no longer moving files to quarantine after we made infrastructure changes, such as making another Linux container with Redis to help serve the files from a host shared folder location. ClamAV has no problem with this change as well as anything accessing the folder from a SAMBA share.
Example of what SAVSCAN spits out while scanning:
➜ scripts ./scansophos.sh >>> PUA 'Keygen' (of type Hacktool) found in file /storage/uploads/[FILENAME].zip/Sandboxie 5.22 Final + patch -Crackingpatching.com/patch/keygen_by_uuk_mod.exe
Quarantined /storage/uploads/[FILENAME].zip successfully
Moving /storage/uploads/[FILENAME].zip to /storage/quarantine/ failed
Scans runs as root and runs with these parameters:
savscan $scan_uploads -nc -ss -archive -all -suspicious -pua --quarantine -move=$virus_vault -p=$tmp_log_file
I've adjusted permissions in relevant folders, reinstalled SophosAV, made entirely new containers with Ubuntu 18.04 LTS and resetup everything on that without success.
I'm frankly at a loss. Sophos for Linux is my favorite Linux AV, and I wish to still use it (as well as move to the paid server product, if command line tools work similarly). I contribute undetected malware samples to Sophos often as a way to give back to the Linux scanner being free. I'd appreciate any help, suggestions, etc. Thank you.
This thread was automatically locked due to age.
