Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 2 subscribers
  • Views 18276 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central reports real-time scanning disabled, but savdstatus reports on-access scanning is running

KeithMarshall

Hi,

I'm getting some seemingly false positive red alerts from Sophos Central. I have a batch of 20-odd Linux virtual machines, all spun up from the same image, running the latest CentOS 7 with all available updates. Most of them are working fine with Sophos, but a few of them (4) are alerting in the Sophos Central console with the message: "Real-time protection has been disabled". The fact that some are behaving differently to others is confusing as they are all built from the same image and should be identical.

I have enabled the 'fanotify' setting as I have a lot of servers to maintain and I don't want gcc on all of them to compile custom libraries. Each server registers with Sophos automatically when created using the /opt/SophosInstall.sh script.

On the machines themselves I have run /opt/sophos-av/bin/savdstatus --verbose and I see this on all machines (alerting or not):

Sophos Linux Security daemon is active
On-access scanning is running

In the systemctl logs for sav-protect I see this:

Sep 23 10:02:46 systemd[1]: Starting "Sophos Linux Security daemon"...
Sep 23 10:02:48 .sav-protect.systemd.prestart.sh[523]: No TBP available, running savupdate:
Sep 23 10:02:53 savd[1590]: savd.daemon: Sophos Linux Security daemon started.
Sep 23 10:02:56 savd[1590]: talpa.startup: Unable to load Talpa modules.
Sep 23 10:03:04 savd[1590]: savd.daemon: On-access scanning enabled using fanotify.
Sep 23 10:03:06 systemd[1]: Started "Sophos Linux Security daemon".
Sep 23 11:03:05 savd[1590]: update.check: Successfully updated Sophos Linux Security from sdds:SOPHOS

- it's the same on all servers, whether alerting in Sophos Central, or not.

As far as I can see it's all running fine on the servers themselves - I can easily just ignore the alerts, but I am worried that ignoring red alerts is a bad habit to get into, and I would like to understand what's going on here.

Things I have tried:

  • Restarting the Linux servers
  • Restarting the sav-* services on the Linux servers using systemctl
  • Re-registering the machine with the SophosInstall.sh script
  • Deleting the machines from Sophos Central and re-registering with the SophosInstall.sh script

None of these seem to help.

Keith.



This thread was automatically locked due to age.
  • 0

    Hello,

     

    Apologies for the delay in getting back to you, this seems like it was a bug we found in the 9.10 installer that was fixed in 9.11.

     

    Please could you try the latest version and let us know how you get on.

     

    thanks 

     

    Mark

  • 0 in reply to MarkToshack

    Hi Mark,

    Thanks for getting back to me.

    I just downloaded the Linux installer from Sophos Central but it's identical (same md5sum) to the one I used to install these machines... and I have already tried re-running the installer.

    Keith.

  • 0 in reply to KeithMarshall

    Hello,

     

    Are you using cloned machines / Golden images? If so then there is a delay to de-duplicate these machines in Central to show individual machines in the UI.

    This will cause some alerts to appear.  

  • 0 in reply to MarkToshack

    I am using a base image  to create virtual machines, yes. But on spinning up, each machine registers itself with Sophos Central as part of the creation script, and they're clearly showing as different machines in Sophos Central.

    If there is a delay in catching up, it must be several weeks, as many of these machines have been running for that long now.

    Today, I have 20 machines alerting that there is no real time scanning, according to Sophos Central. But each machine shows that runtime scanning is enabled. I have another 15 servers installed from identical images in identical ways which do not alert.

    Right now I cannot trust alerts from Sophos Central. Which is pretty worrying.

    Keith.

Unfiltered HTML