This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Some questions on new free SAV install on ubuntu 16.04

Hi,

I just install Sophos on a ubuntu 16.04 x64 derivative. I've enabled on-demand scanning only. I have several questions that would help me and maybe others.

The command I run to scan is 

savscan / -ss -nall -bs -mbr -q --stay-on-filesystem

But that brought up the "not admin" error with regard to scanning the boot sectors. This happened even when I added SUDO to the command. So I ended up deleting the boot sectors:

savscan / -ss -nall -q --stay-on-filesystem

But I would like to hit the boot sectors as well, if possible.

The second question is whether there is any way to suppress all the many "file could not be opened" errors. I'm using the -ss switch, but it passes these errors  I would like to see the malware alerts, of course, but that's about it.

Lastly, should I be using any kind of graphic interface for SAV? I see something being offered on the downloads page, but I'm not sure what it is.

Thanks much.



This thread was automatically locked due to age.
Parents
  • Hello Paul B,

    • excuse me, no derision meant, but all this doesn't go together well.
    • foregoing On-Access scanning and asking for a GUI is one example
    • initiating a scan for the whole file system (/) without obtaining root permissions first
    • attempting to scan the mbr (just because it's possible?)
    • expecting the -ss flag to suppress errors
    • and wanting to see only the malware alerts

    Can you say why you've disabled On-Access scanning? What's your reason for scanning the bootsectors and the  MBR? Also I see you have specified options with their default values.
    All this suggests (again, no derision meant) that you are trying to do something, but it's not clear what this is.

    A number of the open errors are "normal" as they are for links that point to nowhere.

    If you really want to do only on-demand scanning I'd suggest that you make some tests with EICAR to se how savscan and its options work.

    Christian

  • Hi,

    Thanks for your reply, but I don't understand the reasoning behind much of it.

    I don't understand why on-access scanning and having a GUI are related.

    I did state that I tried the command using sudo. Is that not root permissions?

    Is there something wrong with scanning the MBR, since it is possible?

    I didn't "expect" the -ss flag to suppress the errors. I asked if there is a way to suppress a certain type of error.

    And I don't see what's wrong with wanting to see basically only malware alerts.

    Regards,

    Paul

  • Hello Paul,

    there's nothing wrong, it's more an impression I've got (perhaps misinterpreting the naturally little information on what you've done so far)

    Users (especially Linux users) looking for a GUI normally stick with suggested defaults. You might have disabled On-Access scanning after install, it just didn't sound to me that you did so
    sudo - you didn't use sudo on the first attempt, did you? Admittedly the Configuration Guide mentions superuser only in conjunction with the boot sectors and suggests savscan / to scan the computer. You probably did want to scan the computer - and not only everything on your computer that you have permission to read [emphasis mine]. Again I possibly wrong you but / usually calls for su. As an aside - I do not get the not admin (Ubuntu 12.04 and 16.04). It claims to scan the boot sectors when sudoed, as normal user I don't get an error but it just doesn't scan them
    MBR - nothing wrong, just quite unspectacular if you don't have at least the suspicion that it's infected and thus of minor importance - in contrast to:
    error messages vs. malware alerts - you want to suppress the ones that tell you that access has been denied or some path couldn't be found. Many  if not most are annoying. But among them are the ones that should make you aware that savscan / (because you didn't run it as root) did not scan everything. Unfortunately savscan can't help you to distinguish them (and a lot of Linux admins would consider you are not root at the start as overprotective [;)]). AFAIK detections are prefixed with >>> though so it should be fairly easy to suppress the uninteresting rest

    I hope I could clarify some of the points. No lecturing or contemptuousness intended. When people digress from the recommendations I want to make sure they know what they do. If AV is unwittingly "inadequately" used it might give a false sense of security while it doesn't do what it's supposed to.

    Christian 

Reply
  • Hello Paul,

    there's nothing wrong, it's more an impression I've got (perhaps misinterpreting the naturally little information on what you've done so far)

    Users (especially Linux users) looking for a GUI normally stick with suggested defaults. You might have disabled On-Access scanning after install, it just didn't sound to me that you did so
    sudo - you didn't use sudo on the first attempt, did you? Admittedly the Configuration Guide mentions superuser only in conjunction with the boot sectors and suggests savscan / to scan the computer. You probably did want to scan the computer - and not only everything on your computer that you have permission to read [emphasis mine]. Again I possibly wrong you but / usually calls for su. As an aside - I do not get the not admin (Ubuntu 12.04 and 16.04). It claims to scan the boot sectors when sudoed, as normal user I don't get an error but it just doesn't scan them
    MBR - nothing wrong, just quite unspectacular if you don't have at least the suspicion that it's infected and thus of minor importance - in contrast to:
    error messages vs. malware alerts - you want to suppress the ones that tell you that access has been denied or some path couldn't be found. Many  if not most are annoying. But among them are the ones that should make you aware that savscan / (because you didn't run it as root) did not scan everything. Unfortunately savscan can't help you to distinguish them (and a lot of Linux admins would consider you are not root at the start as overprotective [;)]). AFAIK detections are prefixed with >>> though so it should be fairly easy to suppress the uninteresting rest

    I hope I could clarify some of the points. No lecturing or contemptuousness intended. When people digress from the recommendations I want to make sure they know what they do. If AV is unwittingly "inadequately" used it might give a false sense of security while it doesn't do what it's supposed to.

    Christian 

Children
  • Ok. Thanks. I might see about piping the output to a file, which I can then search for detections. Actually, since I restricted the search to the immediate mount point (as opposed to a first all-drive scan I did), scanning the raw output visually isn't too bad.

    Paul