This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

savscan / via socket ?

Hello

I would to scan each file that gets uploaded via my php upload script with Sophos anti-virus tool.

Using savscan each time is very slowwww , because savscan needs to load virus signatures in memory .
Is available a savscan daemon (such as with clamd antivirus) so I can check a file without executing each time savscan ?

 

Thank you!

 

  • Add to Phrasebook
     
    • No word lists for English -> Italian...
       
    • Create a new word list...
  • Copy


This thread was automatically locked due to age.
Parents
  • for example something like clamdscan which permits to scan files using the clamAV daemon.

  • Hi  

    savscan is the only command line manual scan option available in the SAV for Linux and Unix, however, I'll still discuss the query once I have an idea about how Clamdscan works so it'd great if you can explain a bit more about how clamdscan works. 

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Sure

     

    In clamAV antivirus there are two commands

    clamscan /file

    and

    clamdscan /file


    clamscan is exactly the same of savscan .  clamscan and savscan are very slow to run because when you start them they need to load in memory all signature database.
    So clamscan and savscan are not good if you need to execute them very often .

    clamdscan is a clamscan daemon which can be started on request .
    If the service/daemon is started when I scan files using clamdscan the behaviour to scan a file is like with clamscan or savscan,
    BUT the signatures are already in daemon memory, so the scan check returns immediately .






    • Add to Phrasebook
       
      • No word lists for English -> Italian...
         
      • Create a new word list...
    • Copy
  • Hi  

    Thank you for the information.

    There are three types of Scanning available in SAV for Linux.

    1. Scheduled Scan - Simply scheduled for particular date and time.

    2. On-demand Scanning - This can be triggered using savscan command which is manually scanning option for the user which is exactly the right click Scan in Windows.

    3. On-access Scanning - SAV for Linux performs scanning whenever any file is getting a download on the machine, or copied to machine or you modify any file and save it.

    Whenever you are uploading any file to the server which is basically gets copied to the machine from another machine, SAV for Linux will scan that file by default and it is malicious, Sophos will delete it and will not allow it to be copied on the machine.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Reply
  • Hi  

    Thank you for the information.

    There are three types of Scanning available in SAV for Linux.

    1. Scheduled Scan - Simply scheduled for particular date and time.

    2. On-demand Scanning - This can be triggered using savscan command which is manually scanning option for the user which is exactly the right click Scan in Windows.

    3. On-access Scanning - SAV for Linux performs scanning whenever any file is getting a download on the machine, or copied to machine or you modify any file and save it.

    Whenever you are uploading any file to the server which is basically gets copied to the machine from another machine, SAV for Linux will scan that file by default and it is malicious, Sophos will delete it and will not allow it to be copied on the machine.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Children
  • Whenever you are uploading any file to the server which is basically gets copied to the machine from another machine, SAV for Linux will scan that file by default and it is malicious, Sophos will delete it and will not allow it to be copied on the machine.

    >

    does it includes check for email , archives ... because I need to execute a full scan ? If no, this solution is not good.

     

     

  • Hi  

    Would you please suggest when you say email or archive, you are pointing it towards the .pst file or .ost file of the mailbox?

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • I'm talking about the savscan -f option which scan all kinds of files (email and archive included) .

  • Hi  

    This command is for the full system scan and it will scan single email/archives copied to the machine, it will not scan your mailbox on the machine.

    Please provide me with a link to any document which states that mailbox will be scanned with full scan.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Hello Kaneki,

    the savscan -f option which scan all kinds of files
    excuse me, but there seems to be some misunderstanding. This is not what -f does. From the savscan/scheduled scan comparison chart: Only the -f option performs a
    full scan while [...] a quick scan of infectable file parts is done by default. In other words, -f requests in-depth scanning that takes longer and requires more resources - and it's normally not necessary. It doesn't result in a scan of all files or e.g. a scan inside archives. Also note that a full scan doesn't mean that containers are unpacked and decoded and subsequently scanned. There is, AFAIK, no all guns blazing switch.
    Thus perhaps even if there were a
    savdscan it might not do what you expect.

    you want to scan each file that gets uploaded
    the files are then made available for other users to download, or? Just asking because I want to understand the requirement for the extensive scanning.

    SAVDI: As mentioned above, there is no CLI interface to the daemon. Normally you have some server application that needs to scan files. It doesn't make much sense to use another intermediate - in other words an API-interface-interface. SAVDI is already a frontend to SAVI API.

    Christian