This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Scanfile in Savdid

Hi!

I'm trying to validate the use of Savdid to scan files and data through a tcp/ip socket. I'm attempting to scan files around 2 GB in size, do I need to pass any options for this to work? Running "SSSP/1.0 SCANFILE /tmp/test.img" it only takes less than a second to return the following:

SCANFILE /tmp/test.tiff
ACC 5F6C867D/26
EVENT FILE /tmp/test.tiff
FILE /tmp/test.tiff
TYPE 95
DONE OK 0000 The function call succeeded

This leads me to believe that it hasn't in fact scanned the file. Is there something I need to do to force it to scan it?

--
Marius



This thread was automatically locked due to age.
  • Hi 

    Are you using SAVDI? Could you please check this article and set scanning options. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • But what scanning options should I set so that large files are scanned? I attempted to set "savigrp: GrpSuper 1", but still the scanning of the large 2 GB file took less than one second.

  • Hello Marius Flage,

    the scanning of the large 2 GB file took less than one second
    first of all, size doesn't matter (as long as we're not talking about scanning inside archives and containers). It's not necessary to read all of a file to assess wheter it's clean or not.
    Is your test file indeed a very large TIFF? If so, please see the CleanTiff option.

    Christian

  • first of all, size doesn't matter (as long as we're not talking about scanning inside archives and containers). It's not necessary to read all of a file to assess wheter it's clean or not.

    What do you mean it's not necessary to read all of a file to assess weather it's clean or not? Malware can hide all over the place, no?

    It also states that: "Certain file formats (e.g. .bmp bitmap files) cannot contain viruses. These options enable files of the corresponding types to be positively identified and scanning of them to be stopped. This results in more efficient scanning of these file types." . Is this true? Can't tiff images contain malware that can cause an underlying library to crash and then potentially run some malware?

  • Hello Marius Flage,

    no. It depends on the nature of the file where it can hide. Please note we're not talking about malicious code that hides in a place from where it has to be read by some other malicious code before it can execute.

    Christian

  • Hm, ok. But our customer requires us to actually scan a tiff file for viruses. How do I set the cleantiff option to 0? It looks like it has to be set to 0 to deactivate the assumption that all tiff files are clean, right?

    I tried setting the following inside the scanner {} block:

    scanner {

    # type and inprocess can only be SAVI and YES for now

    type: SAVI

    inprocess: YES

    # Max time to be allowed for scanning a single file

    maxscantime: -1

    maxrequesttime: -1

    savigrp: GrpSuper 1

    savigrp: GrpClean 0

    savists: CleanTiff 0

    }

    But it still takes suspiciously little time to scan it.

  • Hello Marius Flage,

    you are probably using the correct setting (I never worked with SAVDI). But even with CleanTiff disabled the scanner won't scan all of the file. Files are scanned for structural integrity, anomalies and telltale signs in specific places. Depending on what is found (or not found) the scan goes deeper or ends.

    Christian

  • But the file is 2GB. The feedback is more or less instantaneous, so I can't believe that it has actually done anything to scan it. If we run 'savscan -f' from the command line, then this takes 12 seconds to complete. 

  • Hello Marius Flage,

    (sorry for the delay).
    ah, I see Slight smile. The difference is that SAVDI instructs a fully operational scanner thread to scan the file whereas savscan has to load and initialize the virus data for the scanning engine, this accounts for the extra time. You can easily verify this by savscanning some tiny file.

    Christian

  • Yes, I have already attempted that comparison. The loading and initialization of the virus data accounts for roughly 4 seconds (I ran against a tiny file). So 'savscan' is actually doing something for the remaining 8.