This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The checksum of the latest virus identity file found on the remote host is invalid

Hello 

We have installed sophos antivirus on our ubuntu machine which has nagios already installed on it. When nagion do security scan on server, it got below message.

******************

Sophos Anti-Virus for Linux is installed on the remote host :Installation path : /opt/sophos-av/Sophos Anti-Virus for Linux version :
Product version : 9.16.0
Engine version : 3.77.1 Threat data version : 5.74Virus signatures last updated : 2020/04/01
The checksum of the latest virus identity file found on the remote host is invalid.
This means that file miner-xv.ide could have been altered!As a result, the remote host might be infected by viruses.

******************

Automatic update result:

Sophos Anti-Virus = 9.16.0
Build Revision = 2821170
Threat detection engine = 3.77.1
Threat data = 5.74
Threat count = 49414939
Threat data release = Tue 31 Mar 2020 12:00:00 AM
Last update = Sun 05 Apr 2020 11:09:43 PM CDT

Please can anyone help

Regards,
Amit



This thread was automatically locked due to age.
Parents Reply Children
  • Hello Amit,

    exactly this message mentioning miner-xv.ide or do the names change?

    Are you installing with the package downloaded from Sophos? And post installation means you trigger a Nagios scan? Do you know how Nagios performs this check? Asking because Sophos' AutoUpdate and the daemon perform consistency checks and are supposed to detect corruption and manipulation.

    Christian

  • Hello Christian,

     

    It changes every time with new file name. We are installing the package downloaded from sophos and post installation of sophos, we triggered the nessus scan which uses nagios.

     

    Due to access limitation, we are not sure, how nessus scan work.

     

    Regards,

    Amit

  • Hello Amit,

    the SAV package should update to the latest version and definitions - not sure whether it does so already during install or with the next update. If the latter the Nessus/Nagios scan might take place before the update. Sophos publishes information on the latest IDE here. If this is the same that Nagios indicates it might be that SAV has not yet updated. You should check if the file that Nagios complains about is in /opt/sophos-av/lib/sav.

    Did you rescan the machines later, did you get the same error but for another file?

    Christian

  • Hello Christain,
     
    you are correct, sav packages are being updated to latest version and definition.

    We tried to run the Nessus scan again and this time it shows different ide file.

    Sophos Anti-Virus for Linux is installed on the remote host :Installation path : /opt/sophos-av/Sophos Anti-Virus for Linux version :
    Product version : 9.16.0
    Engine version : 3.77.1 Threat data version : 5.74Virus signatures last updated : 2020/04/07
    The checksum of the latest virus identity file found on the remote host is invalid.
    This means that file formbo-i.ide could have been altered!As a result, the remote host might be infected by viruses.
     
    Regards,
    Amit Mishra
     
  • Hello Amit,

    this looks like Nagios is doing it wrong. formbo-i.ide is from April 3rd, definitely not the latest or from the latest bunch.

    Just invalid isn't much information, does Nagios provide a detailed (expected vs. calculated checksum) output? Or is there any information from where it gets the list of expected checksums?

    Christian

  • Hello,

     

    We got the same error too, but for hawke-fe.ide from April 10. The name of the file does not change with each check. Can you please tell me where I can find the hash of the ides? The one from the website just had the checksum for latest IDE.

     

    Thanks

  • Hello Obi-Wan,

    I can't say where SAV for Linux stores the expected hashes/checksums. Perhaps can provide some insight.
    BTW: I see four hawke-cc.ides but no hawke-fe.ide, only hawke-fv.ide.

    Christian

  • Hello,

     

    Apologies, it was indeed hawke-fv.ide. And the reply from is helpful, if sophos logs in case of errors in the IDE checks, we should be good as I verified the last three latest ides and the checksums match. I just wanted to check off the final box by verifying the hash of the "problem" ide also. 

     

    Thanks