This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

With one Sophos command, how to virus scan All?

Question:

With one Sophos command, how to virus scan All?

 

All means:

  1. All memory (RAM)
  2. All HDD (hard disk drives plugged in)
  3. All SDD (solid state drives plugged in)
  4. All USB memory sticks plugged into usb 2.0 port
  5. All USB ports (android tablet plugged into usb 2.0 port)

 

 

Installed:

sav-linux-free-9.tgz

352 MB (369,423,602 bytes)

 

Updates February 2020:

sudo /opt/sophos-av/bin/savupdate

Updating from versions - SAV: 9.16.0, Engine: 3.77.1, Data: 5.72

 

Operating System

Ubuntu 19.10

 

Command issued:

/opt/sophos-av/bin/savdstatus

Sophos Anti-Virus is active

 

sudo /opt/sophos-av/bin/savdstatus -vv

          Sophos Anti-Virus is active and on-access scanning is running

 

The following commands did not scan ALL:

sudo savscan / -all -archive

savscan / -all -archive

 

sudo savscan / -all

savscan / -all

 

 

sudo savscan / -archive

savscan / -archive

 

Question:

With one Sophos command, how to virus scan All?

 

--



This thread was automatically locked due to age.
Parents
  • Hello  

    Running savscan / -all on on-demand scanning (versus a scheduled scan) will only scan an internal list of file types to scan.

    If you would configure a scheduled scan, it should scan all files, regardless of extension, and will also detect mounted file systems, which you can configure.

    Please also have a look at this KB article for more information:

    Sophos Anti-Virus for Linux and Unix: Comparison chart of savscan and scheduled scan

     

    More information here too Sophos AV for Linux Config Guide

  • Thursday-13-February-2020

    Thank you for Links:

    https://community.sophos.com/kb/en-us/114372
    https://community.sophos.com/kb/en-us/117346
    https://docs.sophos.com/esg/SAV-Linux/help/en-us/PDF/sav_linux_cg.pdf  
    but above 3 Links have information that is unclear.  
    Entering in those exact commands gives errors.

     

    Question:
    With one Sophos command, how to virus scan All?

    All means:

    1. All memory (RAM)
    2. All HDD (hard disk drives plugged in)
    3. All SDD (solid state drives plugged in)
    4. All USB memory sticks plugged into USB 2.0 port
    5. All USB ports (android tablets plugged into USB 2.0 port)
    6. All DVDs
    7. All CD-ROMs

    From your post, my understanding is:

    savscan / -all 

    is On-demand scanning and
    On-demand scanning is not the command needed to scan All.

     

    From your post, my understanding is:
    A scheduled scan is what is needed to scan All.  

     

    Please clarify.

    1. Please post a text file example.

    A text file that is a schedule.
    A text file that a beginner can copy and paste
    that instructs Sophos to:
    scan All now or
    start scan All in 2 minutes from now,

    or

    2. Please post a Youtube video Link
    showing how to make a Sophos scheduled scan.


    --

  • Hello Joseph Joseph4,

    given that On-Access scanning is running (as your initial post shows) - what would be the purpose of this scan all? What should it detect?

    RAM isn't scanned on Linux (again - what do you think it could find?)

    Whether a disk is an HDD or an SSD doesn't matter - as does the connection type.
    A supported mounted filesystem on a device that presents itself as storage is scanned - in case of an android tablet it depends on the tablet what part of its storage it exposes.
    All DVDs - it's not clear what you mean. You don't have several DVD drives, do you? Or are you talking about ISOs mounted as virtual DVDs, similarily CDs.

    Last but not least: A frequent complete scan isn't necessary. If you really insist of scanning a disk or medium you haven't scanned before you'd not want to (re-)scan the whole system, it'll literally take hours if not days. Maybe I misunderstand your question but looking for an ALL command does - IMO - not make much sense.

    Christian
    P.S.: How long do you use Linux or are you new to it?

  • > Christian replied:
    > given that On-Access scanning is running (as your initial post shows) -

    Correct, On-Access scanning is running, from above post:

    sudo /opt/sophos-av/bin/savdstatus -vv 
    Sophos Anti-Virus is active and on-access scanning is running


    > what would be the purpose of this scan all?

    Examples:
    1. Scan a USB stick.
    2. Scan a Tablet.
    3. Scan a HDD, like NTFS drive from a Windows computer.
    4. Scan DVD disks.

    > What should it detect?
    Whatever Sophos does, guessing Sophos detects:
    Malware, virus, trojan, worms, adware, spyware, backdoor, undesirables.


    > RAM isn't scanned on Linux
    That is new information.


    > (again - what do you think it could find?)
    Whatever Sophos does, guessing Sophos detects:
    Malware, virus, trojan, worms, adware, spyware, backdoor, undesirables.


    > Christian replied:
    > Whether a disk is an HDD or an SSD doesn't matter -
    > as does the connection type.
    > A supported mounted filesystem on a device
    > that presents itself as storage is scanned - in case of an
    > android tablet it depends on the tablet
    > what part of its storage it exposes.

     

    > All DVDs - it's not clear what you mean.

    At this moment there is one DVD drive.
    Many DVD disks.

    Scan DVD disk #1 with Sophos, thus DVD disk #1 is confirmed clean, virus free.
    Insert DVD disk #2, scan, thus DVD disk #2 is confirmed clean, virus free.
    Etc…

     

    > Christian replied:
    > Last but not least:
    > A frequent complete scan isn't necessary.

    > If you really insist of scanning a disk or
    > medium you haven't scanned before
    > you'd not want to (re-)scan the whole system,
    > it'll literally take hours if not days.


    That is Ok. 
    It is Ok to take hours or days for scanning.  

    The target for this Linux (Ubuntu 19.10) computer is to do one thing, scan.

    Insert (Plug in) a medium (USB stick, tablet, NTFS drive, etc…)
    Scan medium.
    Confirm all is clean, virus free (zero viruses discovered)

    Examples:

    1. Insert USB stick, confirm it is clean.
    2. Insert Tablet, confirm it is clean.
    3. Insert a NTFS drive HDD from a Windows computer, confirm it is clean.
    4. Insert a DVD disk into a DVD drive, confirm it is clean.


    > Maybe I misunderstand your question
    > but looking for an ALL command does - IMO - not make much sense.

    Background information, experience:
    Scan times:

    sudo savscan /home
    Scanned 5,200 files in 1 minute  


    sudo savscan /
    Scanned 65,000 files in 18 minutes  


    sudo savscan / -all -archive
    Scanned 352,000 files in 70 minutes 


    Now insert HDD with NTFS format
    from a Windows computer with 100,000 files

    Based on above experience of
    Scanned 352,000 files in 70 minutes
    The expectation is Sophos to show, all clean, virus free (zero viruses discovered)
    Scanned 452,000 files in 170 minutes (or however long it takes)


    > Christian
    > P.S.: How long do you use Linux or are you new to it?

    New to it, using Linux (Ubuntu 19.10) less than 6 months.
    For now, using Windows more than Linux.
    Learning Linux.

     

    Said differently, 2 Questions:


    1. What is the Sophos command to scan
      All the files,
      All archive files,
      All boot sectors,
      All master boot records
      on a Windows NTFS hard disk drive with 100,000 files?

     

     2.
    What is the Sophos command to scan All newly inserted mediums? 

    --

  • Hi  

    Linux OS and SAV for Linux are quite different from Windows and Behaviour of SAV on windows. Even on windows when you insert a new USB drive or a DVD drive, SAV does on-access scanning without notifying you and will not give you the pop-up that device is free from virus or etc., it will try to automatically clean the threat if it is detected and will mention that in Sophos client logs for windows.

    Everything is same for SAV for Linux, it will just give you the pop-up when it'll detect the threat while scanning the newly inserted device through on-access scanning. Please refer the section 7 of this document

    Basically, every new device will be scanned through SAV for Linux whenever they are inserted but will not give you pop-up about they are virus-free unless that device has any malicious software or file.

    1. What is the Sophos command to scan
      All the files, : -f is the switch for it.
      All archive files: -
      -zip
      -qzip
      -arj
      -cmz
      -tar
      -rar
      -cab
      Scan inside specific archive types
      All boot sectors, All master boot records -
      -bs
      -bs=<drive>
      -nbs
      -mbr
      -nmbr
      -cdr=<drive>
      These options control whether bootsectors and mbrs are scanned

      on a Windows NTFS hard disk drive with 100,000 files? - https://community.sophos.com/kb/en-us/114372

     

         2. What is the Sophos command to scan All newly inserted mediums?  - All the mediums will be scanned through the on-access scan whenever they are inserted. There is no single command to access them at one go.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello Joseph Joseph4,

    so you want to use your Linux as kind of sheep-dip?

    First of all, to avoid any misinterpretation of Jasmin's statement when you insert a new USB drive or a DVD drive, SAV does on-access scanning. On-Access does not scan the device or medium (i.e. "all" the files on it) in response to an insertion, it scans the files the OS or a registered application (e.g. media player) accesses upon insertion. In other words this doesn't trigger a scan job that reliably scans or a defined subset of the files and consequently as there is no start of a job there's also no end.

    More important: Mounting another OS's storage to scan for threats is like analysing CCTV recordings instead of watching the live stream. You'll gather some evidence, you might identify some trespassers but you wouldn't be able to prevent or stop some misdeed.
    Furthermore, if you don't connect the device/storage directly but through the OS (e.g. Smartphones or Cameras) what you can then scan might be neither everything nor the actual contents.

    Last but not least: With What should it detect? I meant what kind of and how many threats and infected items do you expect to find? Especially on CDs and DVDs - while not unheard of these are nowadays seldom carriers.

    Christian

  • Hello Jasmin, thanks for the Link but difficulties …

    On Thursday-20-February-2020, the Link:
    https://community.sophos.com/kb/en-us/114372
    Above web page says:

    For full details on how to
    configure/import/update a scheduled scan,
    please review the User Manual:
    http://www.sophos.com/support/docs/
    Sorry!
    We can't find the page you requested.
    We may have moved it or removed it from the site.

    Link is broken:
    http://www.sophos.com/support/docs/
    Can Link be fixed?

    Looking for particulars to:
    - configure a scheduled scan
    - import a scheduled scan
    - update a scheduled scan

    --

  • Hello  

    I just provided you with the below two links in my reply and the KB article don't have any information written like "For full details on how to configure/import/update a scheduled scan" and also no link to the user manual in the KB itself.

    I have provided the user manual link separately from the KB - https://docs.sophos.com/esg/SAV-Linux/help/en-us/PDF/sav_linux_fsg.pdf

    I hope this and  's answer will help you to understand the scan better.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello Jasmin,

    the KB article don't have any information
    I beg to differ [:)]. Indeed inSophos Anti-Virus v9.x For Unix/Linux: Scheduled scan options there's this sentence:

    For full details on how to configure/import/update a scheduled scan, please review the User Manual:
    www.sophos.com/.../

    Christian

  • > Jasmin
    > I have provided the user manual link separately from the KB -
    > https://docs.sophos.com/esg/SAV-Linux/help/en-us/PDF/sav_linux_fsg.pdf
    > I hope this and QC 's answer will help you to understand the scan better.

     

    (2019/01/23) = date in above PDF with title:
    Sophos Anti-Virus for Linux free edition product version: 9

    Hello Jasmin, above PDF helped a little bit, example:
    Section 5.1 How to check if on-access scanning is active?
    /opt/sophos-av/bin/savdstatus
    Sophos Anti-Virus is active


    Section 6 Scan the computer now
    savscan /
    scans the Operating System drive, Ubuntu 19.10   SSD sata 2.0 port


    But:
    savscan /
    did not scan the Windows NTFS HDD, plugged into SATA 2.0 port

    savscan /
    did not scan the Windows USB Stick, plugged into USB 2.0 port

    Note:
    df   Terminal Command shows
    NTFS HDD and
    USB Stick.


    savscan /
    did not scan the Android 6 Tablet, plugged into USB 2.0 port

    Note:
    df   Terminal Command does not show Android 6 Tablet
    But, Ubuntu 19.10 Explorer sees Android 6 Tablet as
    mpt://Android_Android_/14faf1ce/

    Side Question:
    How to Mount Android 6 Tablet?
    So   df   Terminal Command shows Tablet.
    So Sophos can then scan Tablet.

    Ctrl+Alt+T          run Terminal
    df
    (df = abbreviation for disk free)

    Question clarified:
    What is the Sophos command to scan
    all devices the   df   Terminal Command can see?
    (NTFS drive, USB Stick)

    This command does not scan (NTFS drive, USB Stick)
    savscan /

    --

  • Experiments done:
    In Windows know your drive particulars.  

    USB Stick (flash drive, thumb drive, pen drive, jump drive) at
    Windows J:\ drive, do
    NBRT = record Drive Label, use Label with no space in name
    because saves using quotes "" later .
    Ctrl-A = Select All files / Shift-F10 / Properties
    57 files
    12 folders
    01.73 GB (01,858,326,243 bytes) Size used
    29.20 GB (31,360,319,488 bytes)   Capacity


    Eject (unMount) USB Stick from Windows
    Insert USB Stick into Linux Ubuntu 19.10
    Ctrl+Alt+T          run Terminal

    df
    (df = abbreviation for disk free)

    In   df   output Look for:
    /media/username/device-label


    Example:
    /media/user1/NBRT/
    Recall NBRT = Drive Label from Windows

    Here are some Sophos commands.
    Change commands below to match your situation.

    Scan one file:
    sudo savscan /media/user1/NBRT/temp/test.txt

    Scan media players:
    sudo savscan /media/user1/NBRT/temp/GOM.EXE
    sudo savscan /media/user1/NBRT/temp/vlc.exe

    sudo savscan /media/user1/NBRT/temp/ -all
    sudo savscan /media/user1/NBRT/temp/*.*
    sudo savscan /media/user1/NBRT/ -all
    sudo savscan /media/user1/NBRT/*.*

    sudo savscan /media/user1/NBRT/-all -f
              Full Scanning

    sudo savscan /media/user1/NBRT/ -all -archive  
              Quick Scanning

    sudo savscan /media/user1/NBRT/ -all -archive -f
    Full Scanning

    sudo savscan /media/user1/NBRT/ -mbr
              2 master boot records scanned.   Quick Scanning

    sudo savscan /media/user1/NBRT/ -bs
              3 boot sectors scanned.   Quick Scanning

    sudo savscan /media/user1/NBRT/ -all -archive -f -bs -mbr  

    sudo savscan /media/user1/NBRT/ -dn -bs -mbr -vv -all -archive -f -pua -eec –suspicious


    above commands work for USB Stick because   df   shows the way
    /media/user1/NBRT/


    Question clarified:
    What is the Sophos command to scan
    all devices the   df   Terminal Command can see?
    (NTFS drive, USB Stick)

    --

  • > Christian
    > so you want to use your Linux as kind of sheep-dip?

    Yes.
    I was unfamiliar with term "sheep-dip".

    This clarifies "sheep-dip":

    In data security, a sheep dip is the process of
    using a dedicated computer to
    test files on removable media
    for viruses
    before they are allowed to be used with other computers.
    https://en.wikipedia.org/wiki/Sheep_dip_(computing)
    Isolated from other computers.
    Not connected to office network.


    For clarity, beyond "sheep-dip", using Linux Sophos to:
    1. Test files before they are allowed to be used with other computers.
    2. Sophos finds "Could not check" (corrupt files).
    3. Sophos finds "Password protected files".
    4. Sophos finds "virus scan failed" files.
    5. Sophos detects number of "encrypted files were not checked".
    6. Sophos finds PUAs (Potentially Unwanted Applications)
    7. Sophos finds virus. Then manual deletion.   Then Long term Off-Line file storage.  

    From above seven (7) points, characterizing
    Linux Sophos and other
    Linux Anti-Virus programs as a:
    - Sheep-dipper and
    - Error detector and
    - Encryption detector and
    - Virus detector then Scrubber (Cleanser), before storing files.

    --

Reply
  • > Christian
    > so you want to use your Linux as kind of sheep-dip?

    Yes.
    I was unfamiliar with term "sheep-dip".

    This clarifies "sheep-dip":

    In data security, a sheep dip is the process of
    using a dedicated computer to
    test files on removable media
    for viruses
    before they are allowed to be used with other computers.
    https://en.wikipedia.org/wiki/Sheep_dip_(computing)
    Isolated from other computers.
    Not connected to office network.


    For clarity, beyond "sheep-dip", using Linux Sophos to:
    1. Test files before they are allowed to be used with other computers.
    2. Sophos finds "Could not check" (corrupt files).
    3. Sophos finds "Password protected files".
    4. Sophos finds "virus scan failed" files.
    5. Sophos detects number of "encrypted files were not checked".
    6. Sophos finds PUAs (Potentially Unwanted Applications)
    7. Sophos finds virus. Then manual deletion.   Then Long term Off-Line file storage.  

    From above seven (7) points, characterizing
    Linux Sophos and other
    Linux Anti-Virus programs as a:
    - Sheep-dipper and
    - Error detector and
    - Encryption detector and
    - Virus detector then Scrubber (Cleanser), before storing files.

    --

Children
  • Update 10-March-2020:  

    With ubuntu 19.10, Format/Erase a drive  
    Fresh install of ubuntu 19.10 to above Formatted/Erased drive
    Fresh install of Sopho & update definitions, March 2020  
    No usb stick plugged-in & No other drive attached


    1. Timed scans:

    8 (eight) seconds scan of ubuntu1910 partition with
    Display Name, boot sector, master boot record, verbose archive types, full:
    sudo savscan -dn -bs -mbr -vv -f *


    3 (three) minute scan of ubuntu1910 partition:  
    savscan /
    or
    sudo savscan / -dn -bs -mbr -vv


    11 (eleven) minute scan of ubuntu1910 partition:
    savscan / -dn -bs -mbr -vv -all
    or
    sudo savscan / -dn -bs -mbr -vv -all    


    19 (nineteen) minute scan of ubuntu1910 partition:
    sudo savscan / -dn -bs -mbr -vv -all -archive -pua -eec -suspicious


    24 (twenty-four) minute scan of ubuntu1910 partition:
    savscan / -dn -bs -mbr -vv -all -f


    34 (thirty-four) minute scan of ubuntu1910 partition:
    savscan / -dn -bs -mbr -vv -all -archive –f



    2. Attach HDD (hard disk drive sata 2 NTFS Windows files) to be scanned and
    No HDD automatic detection by ubuntu1910
    No HDD automatic mount

    Must do a manual HDD mount.

    Used ubuntu1910 GUI (graphical user interface) to mount HDD:
    Bottom Left corner button = ShowApplications /
    DISKS /
    AdditionalPartitionOptions /
    EditMountOptions /
    UserSessionDefaults = Off /


    Terminal Command:
    df  
    Examples of HDD display in df
    /media/username/device-label
    /media/user1/s_931GBmbrN
    /mnt/E6849A098499DBFC  


    3. Plug-in Tablet android 6 to usb 2.0 port to be scanned and
    No Tablet automatic detection by ubuntu1910
    No Tablet automatic mount
    No easy manual Tablet mounting in ubuntu1910
    No scanning (savscan /) for Tablet
    Suggestion was to find android 6 anti-virus app to scan Tablet.


    --