This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to automatically say "Yes" to quarantine file and continue with scan

Hello

I been running Sophos for Linux in a script that checks files on a mount drive. The problem I encountering is Sophos scan is waiting for a responds (Yes/No/All) when quarantine a file. One has to type in responds in order to continue with the scan. How do I get Sophos to quarantine a file , and continue with the scan automatically

The command I am using is savscan -f -rec -all -dn -archive --quarantine / I try adding Y or -Y at the end of the command but it doesn't work

Any suggestion much appreciated

This thread was automatically locked due to age.

Parents

0 Jasmin over 4 years ago

Hi Anthony Lenzo

--quarantine changes the permission on the file because of that it'll ask you for the change on each file.

Instead of --quarantine, you can use --move which will move the infected files to quarantine directory and that should not be asking you Yes/No on each file.

Please refer to this document which has all the valid arguments for savscan command.

Regards,

Jasmin
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Anthony Lenzo over 4 years ago in reply to Jasmin

Hi Jasmin

So i try the -move option with the following command

savscan /root -f -rec -dn -archive -move=/root/sophos-av/quarantine

But is still pause and ask if I want to move the infect file to the quarantine directory instead of moving it automatically. And it does not change the permission of the files like --quarantine option does

.

.

.

Using IDE file zbot-oaw.ide
Using IDE file emoge-go.ide
Using IDE file nano-aez.ide
Using IDE file zbot-oay.ide

Full Scanning

>>> Virus 'EICAR-AV-Test' found in file /root/Downloads/eicar.com
Proceed with moving /root/Downloads/eicar.com (Yes/No/All) ? Yes <- Still pausing and asking if I want to move this file over to quarantine directory instead of continueing automatically with the scan
Moved /root/Downloads/eicar.com to /root/sophos-av/quarantine successfully
>>> Virus 'EICAR-AV-Test' found in file /root/Downloads/eicar_com.zip/eicar.com
Proceed with moving /root/Downloads/eicar_com.zip (Yes/No/All) ? Yes
Moved /root/Downloads/eicar_com.zip to /root/sophos-av/quarantine successfully

32 files scanned in 1 minute and 58 seconds.
2 viruses were discovered.
2 files out of 32 were infected.
If you need further advice regarding any detections please visit our
Threat Center at: www.sophos.com/.../threat-center.aspx
End of Scan.
[root@localhost Downloads]# cd /root/sophos-av/quarantine/
[root@localhost quarantine]# ll
total 8
-rw-r--r--. 1 root root 68 Jan 8 13:35 eicar.com
-rw-r--r--. 1 root root 184 Jan 8 13:35 eicar_com.zip
[root@localhost quarantine]#

Should there be an addition option I need to add/use?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Anthony Lenzo over 4 years ago in reply to Jasmin

Hi Jasmin

So i try the -move option with the following command

savscan /root -f -rec -dn -archive -move=/root/sophos-av/quarantine

But is still pause and ask if I want to move the infect file to the quarantine directory instead of moving it automatically. And it does not change the permission of the files like --quarantine option does

.

.

.

Using IDE file zbot-oaw.ide
Using IDE file emoge-go.ide
Using IDE file nano-aez.ide
Using IDE file zbot-oay.ide

Full Scanning

>>> Virus 'EICAR-AV-Test' found in file /root/Downloads/eicar.com
Proceed with moving /root/Downloads/eicar.com (Yes/No/All) ? Yes <- Still pausing and asking if I want to move this file over to quarantine directory instead of continueing automatically with the scan
Moved /root/Downloads/eicar.com to /root/sophos-av/quarantine successfully
>>> Virus 'EICAR-AV-Test' found in file /root/Downloads/eicar_com.zip/eicar.com
Proceed with moving /root/Downloads/eicar_com.zip (Yes/No/All) ? Yes
Moved /root/Downloads/eicar_com.zip to /root/sophos-av/quarantine successfully

32 files scanned in 1 minute and 58 seconds.
2 viruses were discovered.
2 files out of 32 were infected.
If you need further advice regarding any detections please visit our
Threat Center at: www.sophos.com/.../threat-center.aspx
End of Scan.
[root@localhost Downloads]# cd /root/sophos-av/quarantine/
[root@localhost quarantine]# ll
total 8
-rw-r--r--. 1 root root 68 Jan 8 13:35 eicar.com
-rw-r--r--. 1 root root 184 Jan 8 13:35 eicar_com.zip
[root@localhost quarantine]#

Should there be an addition option I need to add/use?
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Jasmin over 4 years ago in reply to Anthony Lenzo

Hi Anthony Lenzo

Unfortunately, It seems to be a limitation. It needs to be acknowledged every time it does the on-demand scanning.

Also, please use the quarantine option instead of the move as quarantine will change the permission of the file while the move will not.

Regards,

Jasmin
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 4 years ago in reply to Anthony Lenzo
Hello Anthony Lenzo,

a quick test suggests that

the -nc flag is also honoured for -move

--quarantine and -move can be used together

>>> Virus 'EICAR-AV-Test' found in file /home/qc/Downloads/eicar.com
Quarantined /home/qc/Downloads/eicar.com successfully
Moved /home/qc/Downloads/eicar.com to /opt/quarantine/ successfully

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 Anthony Lenzo over 4 years ago in reply to Jasmin

Jasmin

Surely I, not the first one who use savscan in a script that will be run repetitive nature? Is there has to be a switch or option to bypass this Yes/No query? If one can do it with RPM installation or other programs.
Cancel
Vote Up 0 Vote Down

Cancel
0 Anthony Lenzo over 4 years ago in reply to QC

Hi Christian

So I guess the syntax would be something like this than?

savscan /mnt -f -rec -dn -nc -archive --quarantine -move=<to quarantine directory>
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 4 years ago in reply to Anthony Lenzo

Hello Anthony Lenzo,

yup, this is what I used. BTW: You're aware of the meaning of -f(ull) as opposed to -all, aren't you?

Christian
Cancel
Vote Up 0 Vote Down

Cancel
0 Anthony Lenzo over 4 years ago in reply to QC

Hi Christian

Yup I am aware. I still in testing phaze.
Cancel
Vote Up 0 Vote Down

Cancel