I am slowly deploying the Sophos Protection agent for Linux on RHEL 7.9 / 8.5 / 8.6 servers and I noticed that the REAL-TIME SCAN is disabled / set to NO on the Sophos Central interface. I have tried looking at the Sophos documentation, but most of the docs still reference the legacy based agent. How can I enable the real-time scan for linux servers, "if" it is supported.
Hello Kapildev Khemraj,Thank you for reaching out to Sophos community forum. The Legacy feature on-access scanning is currently not available in SSPL. It uses Runtime detection to provide ongoing protection based on behavioral detections done by the sensor. Sophos Protection for Linux is a next-generation product designed to block threats intelligently using advanced deep learning and machine learning technique. This allows Sophos to add an option to initiate an On-Demand scan from Sophos Central anytime when scanning is necessary.
Thank you for your reply and your clarification for me, I greatly appreciate it. For my clarification, the Runtime detection is akin to the legacy real-time scan, correct? That would mean, if someone uploads a file to a Linux server, Sophos Protection for Linux Agent would scan the said file to validate it is ok and does not contain any malware and this would be done in real time? Is there any deep dive tech doc that talks about how the Runtime detection operates that you are aware of and can share? Thank you again for your clarification.
No, the runtime detection mainly focuses on the existing process which is running on the system and will base its detection method on behavioral detection done by the sensor. It’ll trigger when the file/application opens by checking its running process. Unlike real-time scanning, which will scan the newly uploaded file right on the spot upon received on the system.
Hello, I don't get it, the old product had real-time protection and the new one doesn't ? How is it better ? If I upload a EICAR file on my server with the new protection it's not even blocked... Please explain
I agree, how would this method be considered better. I just tried the EICAR file (uploaded it to my test server) and it did get flagged via the on-demand scan, but was not flagged otherwise. Is the expectation that we schedule a scan all the time? If the said malware became "active", then would it get flagged?
what most vendors call(ed) real-time ( just-in-time would arguably be more suitable) was termed on-access by Sophos. File open and file close-after-write triggered a scan. The major drawback of this method is that it needs a file in the first place. Once it missed some rogue item that when started (down)loaded and executed malware without writing to disk it was pretty much helpless. Therefore vendors augmented the RT scan with download scan and behaviour monitoring. The latter, although with a different technology, is the essential part of the run-time detection.
how would this method be considered better. I just tried the EICAR file (uploaded it to my test server)The key point is that RT scanning was never meant as a convenience for application developers that saves them using an API and programming scan requests. It wasn't good practice anyway. The application sees just an access error when it tries to read the file it thinks it has written.
Hello, thank you for these informations, do you know how we can test the on-access protection on our servers then ?
Hello Léo Bailly,
there is no longer an on-access scanning in SSPL. The OP noticed that the REAL-TIME SCAN is disabled. This is because the Central-manged SAV for Linux 10.x still has it - but like the on-premise SAV9.x it'll be EOL July 2023. Guess the Central UI will be updated accordingly.
Again, on-access scanning is gone for good - there is nothing you can test.
Sorry I meant how do I test the runtime detection ?
well, guess (suspect) use of tools like nmap or SAINT might trigger at least a warning.