Metasploit downloaded and installed - nothing from Sophos endpoint

Could you try the following steps to see if anything changes when moving around the eicar file?

• Go to Policies - Threat Protection - Select the policy to change and select "Settings"
• Page down to "Server Protection default settings" 
• Un-check "Enable all Server Protection default features "
• Page down to "Real-time scanning - Local files and network shares"
• Check the box "Apply scan to Linux agent" and "Save" changes

Hi,

On-access scanning works in the 2023.1 release of Sophos Protection for Linux which is currently halfway through its release cycle. I can see from the screenshot above that you are still on 2022.4 and are not yet updated.

The final GA rollout for on-access is today (1st Feb) so you should be updated by tomorrow.

The On-access scanning that is going out will alert to virus and eicar test detections once installed.

We are also planning on rolling out the Safestore quarantine feature which will move any malware detections to the safestore DB. This feature requires new flags to be set and this will be enabled in stages starting next week and continuing for 3 weeks from then.

 thanks

Rick

Hi Rick,

thanks for your reply. The server was on 2023.01 yesterday already. Verified it today. Still eicar movement on the server is not detected. Real Time Scanning is not blocking anything. Just tried that.

Regards

 Qoosh I did that

saved policy

now it looks like:

enabled RTS again and saved:

cd /opt/metasploit-framework/embedded/framework/data/
/opt/metasploit-framework/embedded/framework/data$ cp eicar.com /tmp/
/opt/metasploit-framework/embedded/framework/data$ ls /tmp/eicar.com
/tmp/eicar.com
/opt/metasploit-framework/embedded/framework/data$ cat /tmp/eicar.com
X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*/opt/metasploit-framework/embedded/framework/data$

date
Wed Feb  1 14:56:09 UTC 2023

rm /tmp/eicar.com

Hi, I suspect it is the Central policy that needs to toggle on and save in the right order. I saved it off, then enabled it and saved again.

Once it is enabled, it does not block or stop anything at this stage (that comes with Safestore), only reports an alert in the av log and in Central. 

will try that. Have not seen any alert from linux OS since.

so - a policy cannot be disabled - only settings within.

So once more I disabled Real time scan, saved

enabled Real time scan after some time, saved.

agent should have that change applied

cp /opt/metasploit-framework/embedded/framework/data/eicar.com /tmp/
/opt/sophos-spl$ ls -ali /tmp/eicar.com
130266 -rwxr-xr-x 1 localuser sudo 68 Feb  1 16:35 /tmp/eicar.com

no event logged again in central - are there useful logs on the endpoint about real time detection?

When testing this, I was able to generate some detections when downloading the eicar files. Moving files from removable media also returned detection and cleanup events.

Could you try downloading metasploit to see what happens this time?

I can download eicar without issues.

wget -O eicar.com hxxxs.||secure.eicar.org/eicar.com
--2023-02-02 08:11:26--  hxxxs.||secure.eicar.org/eicar.com
Resolving secure.eicar.org (secure.eicar.org)... 2a00:1828:1000:2497::2, 89.238.73.97
Connecting to secure.eicar.org (secure.eicar.org)|2a00:1828:1000:2497::2|:443... failed: No route to host.
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 68
Saving to: 'eicar.com'

eicar.com             100%[======================>]      68  --.-KB/s    in 0s

2023-02-02 08:11:27 (84.1 MB/s) - 'eicar.com' saved [68/68]




wget -O eicar.com.zip hxxxs.||secure.eicar.org/eicar_com.zip
--2023-02-02 08:12:38--  hxxxs.||secure.eicar.org/eicar_com.zip
Resolving secure.eicar.org (secure.eicar.org)... 2a00:1828:1000:2497::2, 89.238.73.97
Connecting to secure.eicar.org (secure.eicar.org)|2a00:1828:1000:2497::2|:443... failed: No route to host.
Connecting to secure.eicar.org (secure.eicar.org)|89.238.73.97|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 184 [application/zip]
Saving to: 'eicar.com.zip'

eicar.com.zip         100%[======================>]     184  --.-KB/s    in 0s

2023-02-02 08:12:39 (231 MB/s) - 'eicar.com.zip' saved [184/184]

Hi ,

Lets first check that on-access is available and running on the system.

you can use the systemctl status sophos-spl command to see the running processes and look out for the onaccess process:

           ├─ 1116 /opt/sophos-spl/plugins/av/sbin/soapd    

Go to the AntiVirus log location and check for the on-access log

           /opt/sophos-spl/plugins/av/log/soapd.log

check here for any alerts generated by opening an eicar file.

If there are no alerts, please post the last 20 lines of the log.

Or open a case and I can do some more thorough trouble shooting .

Just to confirm one of my earlier points, there is nothing currently released to stop you opening detected files. At the moment on-access scanning will "only" report when there is a detection, it will not prevent anything or move any file.

thanks

Rick