This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is there a command line to be used while a download operation, involving tools such as curl, wget, is running?

# /opt/sophos-av/bin/savdstatus --version
Sophos Anti-Virus       = 9.15.0

Hi. Is there a way to achieve the counterpart of ClamAV's function 'clamscan - -iv' used in a command such as ’curl www.eicar.org/.../eicar.com.txt | clamscan - -iv’? Command 'savscan -h' makes no mention related to the subject. 'Once executed in terminal, it produces the following output:

# curl www.eicar.org/.../eicar.com.txt | clamscan - -iv
stdin: Eicar-Test-Signature FOUND.

Otherwise Sophos for Linux did perform as intended as illustrated:

x

 

 



This thread was automatically locked due to age.
Parents
  • Hello ricky tigg,

    AFAIK there is no tool that scans a stream from STDIN.

    Christian

  • Thank you Christian. Since Clamav lacks on-access scan ability, that mention 'stdin:' would reasonably mean something else than a scan applied to a stream from STDIN. Yet its meaning must be relevant since Clamav developer decided to make it part of the present output.

    Checking /tmp/clamav-76c1fcb5c858d8f51a6a9c9dd0e6c930.tmp
    stdin: Eicar-Test-Signature FOUND

Reply
  • Thank you Christian. Since Clamav lacks on-access scan ability, that mention 'stdin:' would reasonably mean something else than a scan applied to a stream from STDIN. Yet its meaning must be relevant since Clamav developer decided to make it part of the present output.

    Checking /tmp/clamav-76c1fcb5c858d8f51a6a9c9dd0e6c930.tmp
    stdin: Eicar-Test-Signature FOUND

Children
  • Hello ricky tigg,

    now you've lost me.
    curl writes to stdout unless you tell it otherwise. clamscan - reads from stdin. It doesn't actually scan the stream but writes it to a temporary file that is subsequently scanned. It tells you that what it checks is the tmp file but that the data actually came from stdin.
    It's not clear what you mean by counterpart and what you are trying to to with curl, wget, and their ilk.

    Christian

  • By 'no tool that scans a stream' you wanted to imply rather than be straightforward speaking that Sophos for Linux does not scan stream from STDIN. It should have been obvious to me before even posting anything that there was no need for a command line to be supported by that Sophos product in the present context as counterpart of a clamav function since Sophos used with the on-access scan ability it provides was in essence that counterpart in itself. To write to a temporary file that is subsequently scanned is just how Sophos operates too; possibly in a way – since official documentation does lack information regarding the mechanism it relies on– that is presented as real time.

  • Hello ricky tigg,

    On-Access uses either Talpa or fanotify to intercept open and close system calls and scans the file in place. When scanning in response to close you just get a notification in case of a detection, cleanup os not performed even if it's configured. In case of open access is denied and cleanup is optionally attempted.
    Temporary files are only used when scan inside archives is configured - this setting is not recommended, as it affects performance, and usually not necessary as the individual files in the archive are scanned anyway when the archive is unpacked.

    Christian

  • In description related to response to close, it seems you meant many cases: 1. detection, 2. cleanup OS. That's what can be assumed despite in 'notification in case' case is in singular form. What might be then 'In case of open access is denied and cleanup is optionally attempted.' related to? Is it to case 1. detection, or 2. cleanup OS?


  • Hello ricky tigg,

    maybe I should try to write less tersely.

    Both open and close are intercepted as the file is subsequently scanned.

    If the operation is close and a threat is found you get a notification. Depending how you have configured alerting (please see chapter 11 in the Configuration Guide) you'll get an alert (by default desktop and command line alerts are turned on) in addition to the message in the log.
    No other action is performed - please see chapter 15.5 in the guide.

    If the operation is open and a threat is found you get a notification and access to the file is denied (i.e. the open fails).
    If you have turned on disinfection of infected files and boot sectors on-access an attempt to disinfect (cleanup) is made.
    If disinfect is turned off or disinfect failed and you have  turned on deletion of infected files on-access  the file is deleted.

    I hope this is clearer
    Christian