Hi,
I'm getting some seemingly false positive red alerts from Sophos Central. I have a batch of 20-odd Linux virtual machines, all spun up from the same image, running the latest CentOS 7 with all available updates. Most of them are working fine with Sophos, but a few of them (4) are alerting in the Sophos Central console with the message: "Real-time protection has been disabled". The fact that some are behaving differently to others is confusing as they are all built from the same image and should be identical.
I have enabled the 'fanotify' setting as I have a lot of servers to maintain and I don't want gcc on all of them to compile custom libraries. Each server registers with Sophos automatically when created using the /opt/SophosInstall.sh script.
On the machines themselves I have run /opt/sophos-av/bin/savdstatus --verbose and I see this on all machines (alerting or not):
Sophos Linux Security daemon is active
On-access scanning is running
In the systemctl logs for sav-protect I see this:
Sep 23 10:02:46 systemd[1]: Starting "Sophos Linux Security daemon"...
Sep 23 10:02:48 .sav-protect.systemd.prestart.sh[523]: No TBP available, running savupdate:
Sep 23 10:02:53 savd[1590]: savd.daemon: Sophos Linux Security daemon started.
Sep 23 10:02:56 savd[1590]: talpa.startup: Unable to load Talpa modules.
Sep 23 10:03:04 savd[1590]: savd.daemon: On-access scanning enabled using fanotify.
Sep 23 10:03:06 systemd[1]: Started "Sophos Linux Security daemon".
Sep 23 11:03:05 savd[1590]: update.check: Successfully updated Sophos Linux Security from sdds:SOPHOS
- it's the same on all servers, whether alerting in Sophos Central, or not.
As far as I can see it's all running fine on the servers themselves - I can easily just ignore the alerts, but I am worried that ignoring red alerts is a bad habit to get into, and I would like to understand what's going on here.
Things I have tried:
- Restarting the Linux servers
- Restarting the sav-* services on the Linux servers using systemctl
- Re-registering the machine with the SophosInstall.sh script
- Deleting the machines from Sophos Central and re-registering with the SophosInstall.sh script
None of these seem to help.
Keith.
This thread was automatically locked due to age.