This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos savscan (Linux): how to check if it works properly?

savscan -f * says

406 files scanned in 5 seconds [etc...]

savlog says

[...] updating from versions - SAV: 9.11.0, Engine: 3.63.0, Data: 5.22 [...] On-access scanning enabled using talpa.  [etc...]

sudo /etc/init.d/sav-protect status --> says:

Loaded: loaded (/lib/systemd/system/sav-protect.service; enabled)
Active: active (running) since Tue [etc]

Does this mean it's working*correctly* (and auto-started with my machine) in background (despite there is no GUI and I don't see any icon)?

Also, what kind of protection I'm actually missing if Fanotify = OFF ?
I'm running Debian 8 with Kernel 3.16 (not supported - at least for Fanotify - according to https://www.sophos.com/de-de/support/knowledgebase/14377.aspx)

Thanks in advance



This thread was automatically locked due to age.
  • Sophos Anti-Virus for Linux doesn't have any GUI or desktop icon, so those ways you've specified are the ways of checking that it's working.

    savscan does on-demand scans of the files specified on the command-line, where as on-access checks files when they are accessed across the entire system.

    Talpa and fanotify are two different ways for SAV to detect file operations from the kernel. Talpa is a set of kernel modules, whereas fanotify is a kernel API, they both allow interception of file operations, while Talpa also allows detection of mount operation (to scan for boot-sector threats).
    Unfortunately Debian don't entire fanotify in their kernels (not at the level SAV requires) so Talpa is the only option.