Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 4059 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to automatically say "Yes" to quarantine file and continue with scan

Anthony Lenzo

Hello

I been running Sophos for Linux in a script that checks files on a mount drive.  The problem I encountering is  Sophos scan is waiting for a responds (Yes/No/All) when quarantine a file. One has to type in responds  in order to continue with the scan.  How do I get Sophos to quarantine a file , and continue with the scan automatically

The command I am using is  savscan -f -rec -all -dn -archive --quarantine /       I try adding   Y or -Y at the end of the command but it doesn't work 

Any suggestion much appreciated 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Jasmin

    Hi Jasmin 

    Thanks for your reply.  Couple more questions.

    Do I have to create the quarantine directory before run the savscan with the --move option?

    Does the option also change the permission of the file just like --quarantine option?

  • 0 in reply to Anthony Lenzo

    Hi  

    quarantine is only available for on-demand scans (savscan).You can configure an on-demand scan to put infected files into quarantine to prevent them from being accessed. It does this by changing the ownership and permissions for the files. Please refer to this document which should help you.

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to Shweta

    Hi Shweta

     

    Yes i am aware what the --quarantine option does . The issue that I having is (and mention in my original posting) is when during a scan when it finds a file that has a virus  it stops and wait for manual interaction to say Yes, No or All in order to continue with the scan.  I want it to do is quarantine the file and continue with the scanning the rest of the file system.  Basically have a automatic "Yes" to the quarantine the file and continue with the scan.  

    Although seem like the --move option may be my solution.  Just have try it out. 

  • 0 in reply to Jasmin

    Hi Jasmin

     

    So i try the -move option with the following command 

    savscan /root -f -rec -dn -archive -move=/root/sophos-av/quarantine

     

    But is still pause and ask if I want to move the infect file to the quarantine directory instead of moving it automatically.  And it does not change the permission of the files like --quarantine option does 

    .

    .

    .

    Using IDE file zbot-oaw.ide
    Using IDE file emoge-go.ide
    Using IDE file nano-aez.ide
    Using IDE file zbot-oay.ide

    Full Scanning

    >>> Virus 'EICAR-AV-Test' found in file /root/Downloads/eicar.com
    Proceed with moving /root/Downloads/eicar.com (Yes/No/All) ? Yes  <- Still pausing and asking if I want to move this file over to quarantine directory instead of continueing automatically with the scan
    Moved /root/Downloads/eicar.com to /root/sophos-av/quarantine successfully
    >>> Virus 'EICAR-AV-Test' found in file /root/Downloads/eicar_com.zip/eicar.com
    Proceed with moving /root/Downloads/eicar_com.zip (Yes/No/All) ? Yes
    Moved /root/Downloads/eicar_com.zip to /root/sophos-av/quarantine successfully


    32 files scanned in 1 minute and 58 seconds.
    2 viruses were discovered.
    2 files out of 32 were infected.
    If you need further advice regarding any detections please visit our
    Threat Center at: www.sophos.com/.../threat-center.aspx
    End of Scan.
    [root@localhost Downloads]# cd /root/sophos-av/quarantine/
    [root@localhost quarantine]# ll
    total 8
    -rw-r--r--. 1 root root 68 Jan 8 13:35 eicar.com
    -rw-r--r--. 1 root root 184 Jan 8 13:35 eicar_com.zip
    [root@localhost quarantine]#

     

    Should there be an addition option I need to add/use?

  • 0 in reply to Anthony Lenzo

    Hi  

    Unfortunately, It seems to be a limitation. It needs to be acknowledged every time it does the on-demand scanning.

    Also, please use the quarantine option instead of the move as quarantine will change the permission of the file while the move will not.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Anthony Lenzo

    Hello Anthony Lenzo,

    a quick test suggests that

    • the -nc flag is also honoured for -move
    • --quarantine and -move can be used together

    >>> Virus 'EICAR-AV-Test' found in file /home/qc/Downloads/eicar.com
    Quarantined /home/qc/Downloads/eicar.com successfully               
    Moved /home/qc/Downloads/eicar.com to /opt/quarantine/ successfully 

    Christian

  • 0 in reply to Jasmin

    Jasmin

     

    Surely I, not the first one who use savscan in a script that will be run repetitive nature?  Is there has to be a switch or option to bypass this Yes/No  query?  If one can do it with RPM installation or other programs. 

  • 0 in reply to QC

    Hi Christian

     

    So I guess the syntax would be something like this than?

     

    savscan /mnt  -f -rec -dn -nc -archive --quarantine -move=<to quarantine directory>

  • 0 in reply to Anthony Lenzo

    Hello Anthony Lenzo,

    yup, this is what I used. BTW: You're aware of the meaning of -f(ull) as opposed to -all, aren't you?

    Christian

  • 0 in reply to QC

    Hi Christian 

     

    Yup I am aware. I still in testing phaze. 

Unfiltered HTML