"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article provides information on changing the default rotation behavior of the Sophos Anti-Virus on-access scanner log file SAV.txt. If the log file size grows too large before rotation occurs you can use the information below to alter the default setting.
Applies to the following Sophos product(s) and version(s) Sophos Anti-Virus for Windows 2000+
SAV.txt is located in the following folder:
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\
There is no configuration option for this setting from the Enterprise Console. Therefore you must editing the 'Logging' section of the Endpoint application.
The default logging endpoint logging settings are:
Note: The rotation and archiving is a function of time rather than log file data size. In the scenario where many errors are being logged in a short period of time, there is a possibility that the sav.txt file will grow to a large size and will not be rotated or archived until the month is up.
The log rotation settings are saved in 'Machine.xml' which is located in the following folder:
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\
By default there is no data specified. If you change the options from the UI a <rotation> tag appears:
The whole section of the log looks like this:
<item itemName="FileLog"> <settings> <rotation><enabled>true</enabled><oldlogs>4</oldlogs></rotation> <filtering><item itemName="Virus">70</item><item itemName="Configuration">60</item><item itemName="Scanning">70</item><item itemName="Update">60</item><item itemName="OnAccess">70</item <item itemName="Pua">70</item></filtering> <compression>true</compression></settings> </item>
There are a few other settings which are not displayed, and are defaults. One of them is the rotation interval, which by default is once a month. Although there are no settings to specify how often a log is to be rotated, it can be done either in days, weeks or months.
The intervals are specified in decimal (but represent HEX values), and a number is added to them to specify how many of those intervals to do before a rotation.
So the default is every 1 month, which gives us: 1 + 196608 = 196609 (which is actually the default found in factory.xml)
If we wanted every week, or 7 days, we could do it 2 ways:
If we want every day: 1 + 65536 = 65537.
Now that we have our interval, we must insert it into our <rotation> tag. In this case, we want daily rotation, with a 6 day archive:
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.