This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

What are the most comprehensive savscan switches?

.
Questions:
What are the most comprehensive savscan switches?
said differently ...
What are the savscan switches that will do the 'most work'?
the 'most work' means:
- display the most information and
- highest amount of 'files scanned' and
- scan the whole file, not Quick scan, but Full scan and
- switches giving the most thorough scan (comprehensive scan).


Below are seven (7) test results for a computer from the
least time 23 seconds to
most time 43 + minutes:

1.
sudo savscan /media/user/usb_4GB_F32
___120 files scanned in __ minutes and 23 seconds.


2.
sudo savscan /
_92431 files scanned in _7 minutes and 19 seconds.


3.
sudo savscan / -dn *
_92821 files scanned in _7 minutes and 25 seconds.


4.
sudo savscan / -all
439201 files scanned in 17 minutes and 53 seconds.


5.
sudo savscan / -all -archive
439198 files scanned in 21 minutes and 14 seconds.


6. Quick scan:
sudo savscan / -all -archive -dn -pua -eec -suspicious -bs -mbr -vv * -sc -c -b -rec -q
438991 files scanned in 27 minutes and 29 seconds.


7. Full scan:
sudo savscan / -all -archive -dn -pua -eec -suspicious -bs -mbr -vv * -sc -c -b -rec -f
439273 files scanned in 43 minutes and 37 seconds.


* * *


Background 1
Download standalone, not Enterprise Console, not Sophos Central:
sav-linux-free-9.tgz 369.4 MB (369,423,602 bytes)
configure all Sophos Anti-Virus functions from the
CLI (Command Line Interface).


Background 2
Operating System command:
lsb_release -d
Description: Ubuntu 20.04.3 LTS


Background 3
sudo /opt/sophos-av/bin/savdstatus --version
Copyright 1989-2021 Sophos Limited. All rights reserved.
Sophos Anti-Virus = 9.17.1
Build Revision = 2858276
Threat detection engine = 3.83.1
Threat data = 5.89
Threat count = 68748286
Threat data release = Tue 07 Dec 2021 12:00:00 AM
Last update = Sun 12 Dec 2021 08:01:55 AM


Background 4
sudo /opt/sophos-av/bin/savdstatus -vv
Sophos Anti-Virus is active and on-access scanning is running


Background 5
Check that on-access scanning will be started automatically with savd:
sudo /opt/sophos-av/bin/savconfig query EnableOnStart
true


Background 6
Possible drives to be connected, formatted as:
- Windows NTFS
- Windows FAT32
- Windows exFAT
- Linux Ubuntu Ext4

* * *


In other words, from above 7 tests,
the most comprehensive savscan switches
the 'most work' means:
what switches can be added to Full scan below:

sudo savscan / -all -archive -dn -pua -eec -suspicious -bs -mbr -vv * -sc -c -b -rec -f

--



This thread was automatically locked due to age.
Parents
  • Hello Joseph Lundstrom,

    it's not clear what you are trying to achieve; Making sure that these drives are absolutely, definitely, undoubtedly, 100% clean or making the scan last as long as possible? Do you think more scanning is "better"?  Or what else is it you want to do or find out?

    Christian

  • Good day Christian,

    > Christian typed:
    > it's not clear what you are trying to achieve;

    What I am trying to achieve is Multi-purpose.
    see below ...


    > Or what else is it you want to do or find out?

    a.
    Exploring.
    What else is savscan capable of?
    What is possible with Sophos scanner?

    b.
    Exploring savscan capabilities, examples:

    savscan can flag files as:
    . Could not open
    . (virus scan failed)
    . (corrupt)
    . appears to be a 'zip bomb'
    . Password protected files
    . PUA (Potentially Unwanted Applications)

    From above, savscan is also an
    indicator (gauge, beacon) program, by
    pointing to files that might need to be
    manually addressed or
    manually attended to.
    (a non-virus issue)

    c.
    > it's not clear what you are trying to achieve;

    I am trying to achieve a :
    Scan of Back-up drives that are off-line, drives not in daily use.
    Scan using Sophos on Ubuntu.
    Scan with a dedicated computer set to only scan.


    d.
    Scan USB stick from a Windows computer.
    Scan with Sophos on Ubuntu.


    e.
    What switches do a short scan?

    f.
    What switches give the longest scan?
    Longest scan to be done infrequently.

    g.
    Maximize scan.
    Meaning, What switches give best bang for the buck?
    The Most files scanned in Least time.
    (Least action principal)

    h.
    What switches give the most comprehensive scan?
    Then use some switches to fit intent of scan.

    i.
    What savscan switches make best Log file?
    A record of what was done.

    Currently testing 2 Log methods.
    Writing savscan Log to volatile RAM.
    Not writing Log to a drive because it means Less wear on a drive:

    i1.
    script /tmp/Log
    Above command saves Log in color as Terminal shows it.
    Above command saves display before savscan command.
    Above file is large compare to second text method below.
    To open above file:
    cat /tmp/Log#


    i2.
    sudo savscan / -all -archive | tee /tmp/Log_Sophos_scan.txt
    Just a text file, no color.
    gedit to open
    Log_Sophos_scan.txt

    Command to see both files:
    ls -l /tmp/Log*
    ... /tmp/Log#
    ... /tmp/Log_Sophos_scan.txt

    j.
    Exploring savscan.
    What else is savscan capable of?
    via
    Bash CLI (Command Line Interface).

    > Making sure that these drives are
    > absolutely, definitely, undoubtedly, 100% clean

    Yes. that is one intent ..... Clean.
    Including off line drives ... Clean.


    > making the scan last as long as possible?

    Yes. that is one intent ... a Long scan.

    Back-up Drive is not needed this moment ... no hurry.
    and
    nice to know the ratio of a
    _Full scan, versus a
    Quick scan, about

    1.6 times longer for a Full scan, depends on files.


    From Test done:
    438991 files scanned in 27 minutes and 29 seconds. Quick scan
    439273 files scanned in 43 minutes and 37 seconds. Full scan
    ---------------------------------------------------------------
    ___282 files different, 16 minutes different

    > Do you think more scanning is "better"? 

    Unsure if more scanning is better.
    Not enough experience to say.

    But tests show:
    sudo savscan / -dn *
    _92821 files scanned in _7 minutes and 25 seconds. and
    439273 files scanned in 43 minutes and 37 seconds. Full scan
    sudo savscan / -all -archive -dn -pua -eec -suspicious -bs -mbr -vv * -sc -c -b -rec -f

    ---------------------------------------------
    346452 files different, 36 minutes different

    What are the most comprehensive savscan switches?

    --

Reply
  • Good day Christian,

    > Christian typed:
    > it's not clear what you are trying to achieve;

    What I am trying to achieve is Multi-purpose.
    see below ...


    > Or what else is it you want to do or find out?

    a.
    Exploring.
    What else is savscan capable of?
    What is possible with Sophos scanner?

    b.
    Exploring savscan capabilities, examples:

    savscan can flag files as:
    . Could not open
    . (virus scan failed)
    . (corrupt)
    . appears to be a 'zip bomb'
    . Password protected files
    . PUA (Potentially Unwanted Applications)

    From above, savscan is also an
    indicator (gauge, beacon) program, by
    pointing to files that might need to be
    manually addressed or
    manually attended to.
    (a non-virus issue)

    c.
    > it's not clear what you are trying to achieve;

    I am trying to achieve a :
    Scan of Back-up drives that are off-line, drives not in daily use.
    Scan using Sophos on Ubuntu.
    Scan with a dedicated computer set to only scan.


    d.
    Scan USB stick from a Windows computer.
    Scan with Sophos on Ubuntu.


    e.
    What switches do a short scan?

    f.
    What switches give the longest scan?
    Longest scan to be done infrequently.

    g.
    Maximize scan.
    Meaning, What switches give best bang for the buck?
    The Most files scanned in Least time.
    (Least action principal)

    h.
    What switches give the most comprehensive scan?
    Then use some switches to fit intent of scan.

    i.
    What savscan switches make best Log file?
    A record of what was done.

    Currently testing 2 Log methods.
    Writing savscan Log to volatile RAM.
    Not writing Log to a drive because it means Less wear on a drive:

    i1.
    script /tmp/Log
    Above command saves Log in color as Terminal shows it.
    Above command saves display before savscan command.
    Above file is large compare to second text method below.
    To open above file:
    cat /tmp/Log#


    i2.
    sudo savscan / -all -archive | tee /tmp/Log_Sophos_scan.txt
    Just a text file, no color.
    gedit to open
    Log_Sophos_scan.txt

    Command to see both files:
    ls -l /tmp/Log*
    ... /tmp/Log#
    ... /tmp/Log_Sophos_scan.txt

    j.
    Exploring savscan.
    What else is savscan capable of?
    via
    Bash CLI (Command Line Interface).

    > Making sure that these drives are
    > absolutely, definitely, undoubtedly, 100% clean

    Yes. that is one intent ..... Clean.
    Including off line drives ... Clean.


    > making the scan last as long as possible?

    Yes. that is one intent ... a Long scan.

    Back-up Drive is not needed this moment ... no hurry.
    and
    nice to know the ratio of a
    _Full scan, versus a
    Quick scan, about

    1.6 times longer for a Full scan, depends on files.


    From Test done:
    438991 files scanned in 27 minutes and 29 seconds. Quick scan
    439273 files scanned in 43 minutes and 37 seconds. Full scan
    ---------------------------------------------------------------
    ___282 files different, 16 minutes different

    > Do you think more scanning is "better"? 

    Unsure if more scanning is better.
    Not enough experience to say.

    But tests show:
    sudo savscan / -dn *
    _92821 files scanned in _7 minutes and 25 seconds. and
    439273 files scanned in 43 minutes and 37 seconds. Full scan
    sudo savscan / -all -archive -dn -pua -eec -suspicious -bs -mbr -vv * -sc -c -b -rec -f

    ---------------------------------------------
    346452 files different, 36 minutes different

    What are the most comprehensive savscan switches?

    --

Children
  • Hello Joseph Lundstrom,

    your intent and questions are clearer now, thanks. I'll try to give you some answers but not all are an answer to one of your questions.

    To begin with, whatever you let a software do you have to trust it and its writers. You have for example to trust savscan that scans all files when you tell it to do so and that it really scans the files it lists. Normally you aren't interested in the list of files scanned. If the scan runs to completion it has scanned what it has been told to scan except where it noted otherwise.

    files that might need to be manually addressed [...] a non-virus issue
    that's insofar correct as the message doesn't indicate a detection (BTW PUA is a detection albeit not a virus). It doesn't say that the file is clean or poses no risk. This is also true for corrupt that not only indicates actually unusable files but also files whose internal structure (say, a database file) does not adhere to the standard.

    Under normal circumstances you get the best bang for the buck with the defaults. Default is to assess cross-platform executable files (what's deemed to be executable is based on the extension, see savscan -vv).. The true file type is determined and only if it's indeed executable the actual scan is performed.
    The -all switch instructs savscan to do this for all files. It will detect threats in executables that have been renamed with an "innocent" extension like .new. If there's no detection the log entry )assuming you're using -ns) tells you neither the true file type nor whether an actual scan was done.
    The -f switch requests a "full" scan. A "not full" quick scan is not less sensitive, i.e. it won't miss infected or malicious files.
    .archive is obvious, if you got a zip bomb message you might try --no-stop-scan. The scan could take very long or abort with out of disk space or memory.

    Christian

  • > Christian typed:
    > files that might need to be manually addressed
    > ... a non-virus issue ...
    > It doesn't say that the file is clean or poses no risk.

    Correct.

    When the phrase 'a non-virus issue' was typed I was looking at
    Password protected files
    lib files, installed from Ubuntu ISO.
    lib files are not my files, outside my control.

    Password protected lib files are understood to be clean
    because password is unknown,
    thus the phrase 'a non-virus issue'.

    Unsure why Operating System has a
    Password protected TEXT file.

    Here are 2 file examples:

    1.
    Password protected file
    /media/u3/1942c302-7.../usr/lib/firmware/vxge/X3fw.ncf/T1:
    X3_101025_1_8_1_expROM_FW_uni_template_rmt_cmd_line.txt

    2.
    Password protected file
    /media/u3/1942c302-7.../usr/lib/firmware/vxge/X3fw.ncf/T1:
    X3_101025_1_8_1_expROM_FW_uni_template_flash0.bin


    --