I would to scan each file that gets uploaded via my php upload script with Sophos anti-virus tool.Using savscan each time is very slowwww , because savscan needs to load virus signatures in memory .Is available a savscan daemon (such as with clamd antivirus) so I can check a file without executing each time savscan ?
for example something like clamdscan which permits to scan files using the clamAV daemon.
savscan is the only command line manual scan option available in the SAV for Linux and Unix, however, I'll still discuss the query once I have an idea about how Clamdscan works so it'd great if you can explain a bit more about how clamdscan works.
Jasmin Community Support Engineer | Sophos Support Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link
In clamAV antivirus there are two commands clamscan /fileand
clamdscan /fileclamscan is exactly the same of savscan . clamscan and savscan are very slow to run because when you start them they need to load in memory all signature database.So clamscan and savscan are not good if you need to execute them very often .clamdscan is a clamscan daemon which can be started on request . If the service/daemon is started when I scan files using clamdscan the behaviour to scan a file is like with clamscan or savscan, BUT the signatures are already in daemon memory, so the scan check returns immediately .
Thank you for the information.
There are three types of Scanning available in SAV for Linux.
1. Scheduled Scan - Simply scheduled for particular date and time.
2. On-demand Scanning - This can be triggered using savscan command which is manually scanning option for the user which is exactly the right click Scan in Windows.
3. On-access Scanning - SAV for Linux performs scanning whenever any file is getting a download on the machine, or copied to machine or you modify any file and save it.
Whenever you are uploading any file to the server which is basically gets copied to the machine from another machine, SAV for Linux will scan that file by default and it is malicious, Sophos will delete it and will not allow it to be copied on the machine.
there's SAVDI, the SAV Dynamic Interface, part of the Antivirus SDK. There are some SAVDI-related threads in the Community. Just the SAVDI is, AFAIK, available available with certain licenses (don't ask me which ones).
does it includes check for email , archives ... because I need to execute a full scan ? If no, this solution is not good.
Would you please suggest when you say email or archive, you are pointing it towards the .pst file or .ost file of the mailbox?
I'm talking about the savscan -f option which scan all kinds of files (email and archive included) .
This command is for the full system scan and it will scan single email/archives copied to the machine, it will not scan your mailbox on the machine.
Please provide me with a link to any document which states that mailbox will be scanned with full scan.
the savscan -f option which scan all kinds of filesexcuse me, but there seems to be some misunderstanding. This is not what -f does. From the savscan/scheduled scan comparison chart: Only the -f option performs a full scan while [...] a quick scan of infectable file parts is done by default. In other words, -f requests in-depth scanning that takes longer and requires more resources - and it's normally not necessary. It doesn't result in a scan of all files or e.g. a scan inside archives. Also note that a full scan doesn't mean that containers are unpacked and decoded and subsequently scanned. There is, AFAIK, no all guns blazing switch.Thus perhaps even if there were a savdscan it might not do what you expect.
you want to scan each file that gets uploadedthe files are then made available for other users to download, or? Just asking because I want to understand the requirement for the extensive scanning.
SAVDI: As mentioned above, there is no CLI interface to the daemon. Normally you have some server application that needs to scan files. It doesn't make much sense to use another intermediate - in other words an API-interface-interface. SAVDI is already a frontend to SAVI API.