This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

The checksum of the latest virus identity file found on the remote host is invalid

Hello 

We have installed sophos antivirus on our ubuntu machine which has nagios already installed on it. When nagion do security scan on server, it got below message.

******************

Sophos Anti-Virus for Linux is installed on the remote host :Installation path : /opt/sophos-av/Sophos Anti-Virus for Linux version :
Product version : 9.16.0
Engine version : 3.77.1 Threat data version : 5.74Virus signatures last updated : 2020/04/01
The checksum of the latest virus identity file found on the remote host is invalid.
This means that file miner-xv.ide could have been altered!As a result, the remote host might be infected by viruses.

******************

Automatic update result:

Sophos Anti-Virus = 9.16.0
Build Revision = 2821170
Threat detection engine = 3.77.1
Threat data = 5.74
Threat count = 49414939
Threat data release = Tue 31 Mar 2020 12:00:00 AM
Last update = Sun 05 Apr 2020 11:09:43 PM CDT

Please can anyone help

Regards,
Amit



This thread was automatically locked due to age.
  • Hi,

     

    I'm not sure what nagios is checking against.

     

    It's possible they have got their own hashes of the IDE files, and are assuming the files never change. Either generated locally, or distributed.

     

    Unfortunately that isn't true, Sophos (these days) releases updated IDEs.

     

    IDEs have signatures verified against a key in the vdl.dat file, but I doubt nagios is dissecting vdl to get that.

    If you are updating from a CID (SEC-managed), then the IDEs have a hash in the cidsync.upd in the cache directory, but nagios is very unlikely to be looking at that.

    If you are updating via SDDS (directly from Sophos), then IDEs have hashes in the SDDS meta-data but I can't imagine nagios is looking at that.

     

    nagios isn't a Sophos tool so I have no idea what it is trying to verify, but I think it is a false-positive from nagios rather than any kind of problem from Sophos, since we do our own verificaton that IDEs are correct before they are used, so would be reporting an error if they were corrupt. 

     

    Thanks,

    Douglas.

  • Hello,

     

    Apologies, it was indeed hawke-fv.ide. And the reply from is helpful, if sophos logs in case of errors in the IDE checks, we should be good as I verified the last three latest ides and the checksums match. I just wanted to check off the final box by verifying the hash of the "problem" ide also. 

     

    Thanks