This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAVDI File Scanning - EICAR file

Hi,

We use the SAVDI to scan all files being uploaded and in case the EICAR file signature exists in the file (not at the beginning of the file) the file passes the scan.

Attached is the conf file for the SAVDI settings.

# No of worker threads to start up 





threadcount: 5





# Where to find the virus data if it is held somewhere other than normal


# These options can be specified under the SAVI configuration but that


# is not advised.





#virusdatadir: C:\Program Files\Sophos\Sophos Anti-Virus


#virusdataname: vdl


#idedir: C:\Program Files\Sophos\Sophos Anti-Virus





# What to do when the daemon must exit


# Options are:-


#     DONTWAIT (just exit now!) 


#     REQUEST  (wait for current requests to complete)


#     SESSION  (wait for current sessions to complete)


# Case 1) An exception has occurred and operation could be compromised


onexception: REQUEST





# Case 2) A request has been made for it to exit


# If there are long running sessions then REQUEST should be considered


onrequest: SESSION





log {


    # Specify the logging mechanism {CONSOLE|FILE|SYSLOG}


    type: FILE





    # Where to write the log files (if FILE is selected)


    logdir: C:\ProgramData\Sophos\SAV Dynamic Interface\Logs\





    # Specify the level of logging required


    # 0 = errors+threats


    # 1 = (0) + process events


    # 2 = (1) + session events





    loglevel: 0


}








# A number of channels are included here as samples, new channels may


# be added, others removed. There needs to be at least one of course.


# Unwanted channels should be removed.


# 





# Define a channel for ICAP over IP





channel {





        # Send to the log requests received from clients


        # For debugging. Default: NO


        # logrequests: YES








    commprotocol {


        type: IP





        # IP Address to listen on, default is 0.0.0.0 (any)


        # address: 127.0.0.1


        port: 1344





        # Subnet of acceptable client IP addresses.


        # Default is to accept from any client.


        # subnet: 127.0.0.1/24





        # idle timeout in secs when waiting for a request


        # 0 is forever. Default: 0


        # requesttimeout: 120





        # timeout in secs between characters when sending data


        sendtimeout: 2





        # idle timeout in secs between characters when receiving data


        recvtimeout: 10


    }





    service {


        # The name of the service, arbitrary as long as the client


        # uses the same name.


        name: avscan





        # The type of service, for now can only be avscan


        type: avscan





        scanprotocol {


            # The type of protocol in use. Can only be ICAP.


            type: ICAP





            # Version of the configuration for this service.


            # Update when changes are made that may alter the


            # result returned to the client. Default: XXX


            version: 1.01





            # Objects sent for scanning can be retained if they are


            # infected or cause the service a problem. Allowed values


            # are NONE, MALWARE, PROBLEM, ALL. ALL meaning both


            # MALWARE and PROBLEM. Default: NONE


            # retain: NONE





            # A list of file extensions for files which the client


            # should not send to this server. The list is sent as-is


            # to the client. See ICAP Transfer-Ignore header. A


            # Transfer-Complete: * header is automatically added.


            # Default is none.


            # dontsend: .jpg, .gif, .bmp, .tiff





            # 204 is the ICAP code indicating that the object


            # sent for processing is unmodified and OK and will


            # not be returned to the client. Default: NO


            # allow204: NO





            # Don't automatically close the connection after a


            # transaction. Default: NO


            keepalive: YES





            # Maximum permitted size, in bytes, of the body in a request.


            # Zero is no limit. Default: 0


            # maxbodysize: 0





            # Maximum amount of memory, in bytes, to use for an object, before


            # putting it into a temporary file. Default: 1000000


            #maxmemorysize: 1024





            # Maximum size of the chunks, in bytes, for returned data, 0 is


            # no maximum. Default: 0


            # maxchunksize: 0





            # Where to place and name temporary files


            # Default: <standard temp directory>/SAVDI_


            # On *nix systems: /var/tmp/SAVDI_


            tmpfilestub: C:\ProgramData\Sophos\SAV Dynamic Interface\Temp\icap_








            # The block-* options determine what to do with files


            # that result in some sort of error. 





            # Any of these files may be infected.





            # NB Files identified as malware are always blocked.





            # Treat zip-bombs as malignant. Zip-bombs are compressed


            # files that have many files which are vary highly


            # compressed. They are intended to either deny use of


            # a scanner by keeping it occupied for excessive periods


            # or use excessive resources, such as disc space on the


            # end-point. Default: YES


            # block-bombs: YES





            # Block encrypted files. Encrypted files cannot be scanned


            # and may harbour malware. Default: NO


            # block-encrypted: NO





            # Block corrupt files. Some files are simply corrupt, others


            # may not conform to the standard, or one of its known 


            # variants, but may still be usable. Default: NO


            # block-corrupt: NO





            # Block timeouts. It took too long to scan the file and


            # the scan was terminated early. (See the maxscantime


            # option in the scanner section.) Default: YES


            # block-timeouts: YES





            # The AV engine returned some other error. Scanning of the 


            # file possibly did not complete. Default: YES


            # block-errors: YES





            # The AV engine caused an exception. Exceptions can be 


            # considered as errors that were not caught in time.


            # Scanning of the file did not complete. Default: YES


            # block-exceptions: YES





            # At least one client (c-icap) seems to always expect a


            # body, even an empty one. Default: NO


            # forceemptybody: YES


        }





        scanner {


            # See the SAVDI documentation for details for configuring


            # SAVI





            type: SAVI


            inprocess: YES





            # Turn on auto-stop, ie zip-bomb detection


            savists: enableautostop 1





            # Turn on most of the other options


            savigrp: grpsuper 1





            # Limit the time taken to scan a file to this number of seconds


            # Zero is forever. Default: 0


            # maxscantime: 0


        }


    }


}








#


# Define a channel using a named pipe for SSSP


#





channel {





    commprotocol {


        type: Pipe





         # Both forms are acceptable


         # name: \\.\pipe\avscan		# A server must specify \\.\


         name: avscan





        # timeout in secs when sending data


        sendtimeout: 2





        # idle timeout in secs when receiving data


        recvtimeout: 60


    }





    scanprotocol {


        type: SSSP





        # Do we allow the client to use SCANFILE?


        allowscanfile: SUBDIR





        # Do we allow the client to use SCANDATA?


        allowscandata: YES





        # If SCANDATA is allowed:-


        # maximum amount of data, in bytes, the client can send


        maxscandata: 2000000


        # maximum amount, in bytes, to held in memory before using a temp file


        maxmemorysize: 250000


        # path name and stub for generating temp file names.


        tmpfilestub: C:\ProgramData\Sophos\SAV Dynamic Interface\Temp\savid_tmp





        # Log each request made by a client?


        # logrequests: YES


    }





    scanner {


        # type and inprocess can only be SAVI and YES for now


        type: SAVI


        inprocess: YES





        # Max time to be allowd for scanning a single file


        maxscantime: 3





        # Max time in seconds to be allowed to complete a request


        maxrequesttime: 10





        #Some SAVI/Engine options


        savigrp: GrpArchiveUnpack 0


        savigrp: GrpInternet 1


        savists: Xml 1


    }


}











#


# Define an IP channel for SSSP


#





channel {





    commprotocol {


        type: IP





        # IP Address to listen on, default is 0.0.0.0 (any)


        # Note the combination of the wildcard address and a


        # non-special port no is not secure





        address: 0.0.0.0


        port: 4010





        # Subnet of acceptable client IP addresses


        # subnet: 172.18.32.26/30








        # timeout in secs when sending data


        sendtimeout: 2





        # idle timeout in secs when receiving data


        recvtimeout: 60


    }





    scanprotocol {


        type: SSSP





        # Do we allow the client to use SCANFILE?


        allowscanfile: NO





        # Do we allow the client to use SCANDATA?


        allowscandata: YES





        # If SCANDATA is allowed:-


        # maximum amount of data, in bytes, the client can send


        maxscandata: 500000000


        # maximum amount, in bytes, to held in memory before using a temp file


        maxmemorysize: 250000


        # path name and stub for generating temp file names.


        tmpfilestub: C:\ProgramData\Sophos\SAV Dynamic Interface\Temp\savid_tmp





        # Log each request made by a client?


        # logrequests: YES


    }





    scanner {


        # type and inprocess can only be SAVI and YES for now


        type: SAVI


        inprocess: YES





        # Max time to be allowd for scanning a single file


        maxscantime: 3





        # Max time in seconds to be allowed to complete a request


        maxrequesttime: 10





        #Some SAVI/Engine options


        savigrp: GrpArchiveUnpack 0


        savigrp: GrpInternet 1


        savists: Xml 1


    }


}








# Define a IP channel for localhost





channel {





    commprotocol {


        type: IP





        # Note the combination of the wildcard address and a


        # non-special port no is not secure





        address: 127.0.0.1


        port: 4010


        # subnet: 127.0.0.1/24





        sendtimeout: 2


        recvtimeout: 2


    }





    scanprotocol {


        type: SSSP





        # Normally should be NO for an IP connection


        allowscanfile: SUBDIR





        allowscandata: YES





        # If SCANDATA is allowed:-


        # maximum amount of data, in bytes, the client can send


        maxscandata: 500000000


        # maximum amount, in bytes, to held in memory before using a temp file


        maxmemorysize: 250000


        # path name and stub for generating temp file names.


        tmpfilestub: C:\ProgramData\Sophos\SAV Dynamic Interface\Temp\savid_tmp





        # logrequests: YES


    }





    scanner {


        type: SAVI


        inprocess: YES





        # Max time to be allowed for scanning a single file


        maxscantime: 3





        # Max time in seconds to be allowed to complete a request


        maxrequesttime: 10





        savigrp: GrpArchiveUnpack 0


        savigrp: GrpInternet 1





    }


}





# Define a IP channel for localhost for Sophie





channel {





    commprotocol {


        type: IP





        # Note the combination of the wildcard address and a


        # non-special port no is not secure





        address: 127.0.0.1


        port: 4009


        # subnet: 127.0.0.1/24





        sendtimeout: 2


        recvtimeout: 2





    }





    scanprotocol {


        type: SOPHIE





        allowscandir: DIR


        # logrequests: YES


    }





    scanner {


        type: SAVI


        inprocess: YES





        # Max time to be allowed for scanning a single file


        maxscantime: 3





        # Max time in seconds to be allowed to complete a request


        maxrequesttime: 10





        savigrp: GrpArchiveUnpack 0


        savigrp: GrpInternet 1





    }


}

Thanks



This thread was automatically locked due to age.
Parents
  • Hello RajeshSV ,

    the EICAR testfile is, as suggested by the .com extension and as you can read at eicar.org, indeed an executable. Thus if it is not at the beginning of the file this file is either not considered infectible at all or the string is at a position where it "can do no harm". Thus it's correct (if all malicious content there is is this string) that the scanner does not flag the files.

    Christian

  • Hi Christian

    Thanks for the reply. However when our testers used another file that was being flagged as malware by the endpoint agent, it was not flagged by SAVDI. Below is the screenshot for the log that was returned from the scan

    /resized-image/__size/1280x960/__key/communityserver-discussions-components-files/3/pastedimage1651842458267v1.png

    Also, from the screenshot you can see that the SAVDI says "initialized with old virus data" and as per documentation its supposed to update the definitions automatically when you have Sophos endpoint installed on the same machine where SAVDI is installed. However, from the logs this does not seem to happen. How do we go by to identify why this is happening.

    Rajesh

  • Hello Rajesh,

    by the endpoint agent on the same machine (BTW: Linux or Windows)? Is virusdatadir in savdid.conf pointing to the correct directory (the one that Endpoint uses and updates)?

    Christian  

Reply Children