Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 9 subscribers
  • Views 2904 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Trouble running manual savscan, AV for Linux free version, Ubuntu 18.04.4 LTS desktop

Andrew Paulaner

Hello All,

I am running Ubuntu 18.04.4 LTS desktop and am giving the AV for Linux free version a try. I was able to successfully install the software             (v 9.16.2), and both savd and savscand run on boot. Running savdstatus in /opt/sophos-av/bin returns "Sophos Anti-Virus is active and on-access scanning is running". Manual updates seem to work too, with savupdate returning "Successfully updated Sophos Anti-Virus from sdds:SOPHOS". My problem is I can't run a manual scan using savscan. When I try to run savscan, it returns "Error: Unable to locate SavForLinux installation directory". I installed the AV software on a 2nd Ubuntu machine that I have, and it behaves identically to the first installation. I tried searching the forum for this error, but it returns only a few results that didn't provide a solution. Any help to resolve this would be greatly appreciated. Please let me know if any additional information would be helpful.

Thank you.



This thread was automatically locked due to age.
  • 0

    Hello Andrew Paulaner,

    thought I've heard of this one but all I can find is related to a hardened kernel.
    I'm sure can give a hint.

    Christian

  • 0

    Hi Andrew,

     

    savscan has to search for the SAV installation, since it can't find itself directly.

     

    It looks at /proc/self/exe, /usr/local/bin/savscan and /usr/bin/savscan. /proc/self/exe might be blocked by a hardened kernel. It tries to follow symlinks then find parent directories to find the SAV install location.

    It also checks /opt/sophos-av and /usr/local/sophos-av as possible install directories.

     

    For each directory it find it checks that it looks like a SAV installation: It checks permissions and presence of the virus data, and the savscan binary.

     

    It's possible that something has damaged the install of SAV such that savscan can't recognise the install as valid. In that case savscan can't run.

     

    Full list of checks for a directory $INST:

    • sophosav group exists
    • $INST is owned by root
    • $INST is group sophosav or root
    • $INST/bin/_/savscan exists
    • $INST/lib/sav/vdl01.vdb exists
    • $INST/engine/sweep exists
    • $F=follow $INST/engine/sweep symlink to a file
    • $F is owned by root
    • $F group is sophosav
    • $F is setgid

     

    If any of those are false, the directory is not a valid SAV installation.

     

    In particular if setgid is blocked or removed from sweep then the directory won't be treated as valid.

     

    Thanks,

    Douglas.

Unfiltered HTML