This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos for Linux savscan on-demand fails to move detected file to quarantine folder location

I have been using Sophos for Linux for a few years now on a large website with a lot of uploads. We noticed that Sophos was no longer moving files to quarantine after we made infrastructure changes, such as making another Linux container with Redis to help serve the files from a host shared folder location. ClamAV has no problem with this change as well as anything accessing the folder from a SAMBA share.

Example of what SAVSCAN spits out while scanning:

➜ scripts ./scansophos.sh >>> PUA 'Keygen' (of type Hacktool) found in file /storage/uploads/[FILENAME].zip/Sandboxie 5.22 Final + patch -Crackingpatching.com/patch/keygen_by_uuk_mod.exe

Quarantined /storage/uploads/[FILENAME].zip successfully

Moving /storage/uploads/[FILENAME].zip to /storage/quarantine/ failed

Scans runs as root and runs with these parameters:

savscan $scan_uploads -nc -ss -archive -all -suspicious -pua --quarantine -move=$virus_vault -p=$tmp_log_file

I've adjusted permissions in relevant folders, reinstalled SophosAV, made entirely new containers with Ubuntu 18.04 LTS and resetup everything on that without success.

I'm frankly at a loss. Sophos for Linux is my favorite Linux AV, and I wish to still use it (as well as move to the paid server product, if command line tools work similarly). I contribute undetected malware samples to Sophos often as a way to give back to the Linux scanner being free. I'd appreciate any help, suggestions, etc. Thank you.



This thread was automatically locked due to age.
Parents Reply Children
No Data