Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 4059 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to automatically say "Yes" to quarantine file and continue with scan

Anthony Lenzo

Hello

I been running Sophos for Linux in a script that checks files on a mount drive.  The problem I encountering is  Sophos scan is waiting for a responds (Yes/No/All) when quarantine a file. One has to type in responds  in order to continue with the scan.  How do I get Sophos to quarantine a file , and continue with the scan automatically

The command I am using is  savscan -f -rec -all -dn -archive --quarantine /       I try adding   Y or -Y at the end of the command but it doesn't work 

Any suggestion much appreciated 



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    --quarantine changes the permission on the file because of that it'll ask you for the change on each file.

    Instead of --quarantine, you can use --move which will move the infected files to quarantine directory and that should not be asking you Yes/No on each file.

    Please refer to this document which has all the valid arguments for savscan command.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Jasmin

    Hi Jasmin

     

    So i try the -move option with the following command 

    savscan /root -f -rec -dn -archive -move=/root/sophos-av/quarantine

     

    But is still pause and ask if I want to move the infect file to the quarantine directory instead of moving it automatically.  And it does not change the permission of the files like --quarantine option does 

    .

    .

    .

    Using IDE file zbot-oaw.ide
    Using IDE file emoge-go.ide
    Using IDE file nano-aez.ide
    Using IDE file zbot-oay.ide

    Full Scanning

    >>> Virus 'EICAR-AV-Test' found in file /root/Downloads/eicar.com
    Proceed with moving /root/Downloads/eicar.com (Yes/No/All) ? Yes  <- Still pausing and asking if I want to move this file over to quarantine directory instead of continueing automatically with the scan
    Moved /root/Downloads/eicar.com to /root/sophos-av/quarantine successfully
    >>> Virus 'EICAR-AV-Test' found in file /root/Downloads/eicar_com.zip/eicar.com
    Proceed with moving /root/Downloads/eicar_com.zip (Yes/No/All) ? Yes
    Moved /root/Downloads/eicar_com.zip to /root/sophos-av/quarantine successfully


    32 files scanned in 1 minute and 58 seconds.
    2 viruses were discovered.
    2 files out of 32 were infected.
    If you need further advice regarding any detections please visit our
    Threat Center at: www.sophos.com/.../threat-center.aspx
    End of Scan.
    [root@localhost Downloads]# cd /root/sophos-av/quarantine/
    [root@localhost quarantine]# ll
    total 8
    -rw-r--r--. 1 root root 68 Jan 8 13:35 eicar.com
    -rw-r--r--. 1 root root 184 Jan 8 13:35 eicar_com.zip
    [root@localhost quarantine]#

     

    Should there be an addition option I need to add/use?

  • 0 in reply to Anthony Lenzo

    Hi  

    Unfortunately, It seems to be a limitation. It needs to be acknowledged every time it does the on-demand scanning.

    Also, please use the quarantine option instead of the move as quarantine will change the permission of the file while the move will not.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Anthony Lenzo

    Hello Anthony Lenzo,

    a quick test suggests that

    • the -nc flag is also honoured for -move
    • --quarantine and -move can be used together

    >>> Virus 'EICAR-AV-Test' found in file /home/qc/Downloads/eicar.com
    Quarantined /home/qc/Downloads/eicar.com successfully               
    Moved /home/qc/Downloads/eicar.com to /opt/quarantine/ successfully 

    Christian

  • 0 in reply to Jasmin

    Jasmin

     

    Surely I, not the first one who use savscan in a script that will be run repetitive nature?  Is there has to be a switch or option to bypass this Yes/No  query?  If one can do it with RPM installation or other programs. 

  • 0 in reply to QC

    Hi Christian

     

    So I guess the syntax would be something like this than?

     

    savscan /mnt  -f -rec -dn -nc -archive --quarantine -move=<to quarantine directory>

  • 0 in reply to Anthony Lenzo

    Hello Anthony Lenzo,

    yup, this is what I used. BTW: You're aware of the meaning of -f(ull) as opposed to -all, aren't you?

    Christian

Reply Children
Unfiltered HTML