This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Protection for Linux ral-time scan is disabled, set to "No"

Greetings,

I am slowly deploying the Sophos Protection agent for Linux on RHEL 7.9 / 8.5 / 8.6 servers and I noticed that the REAL-TIME SCAN is disabled / set to NO on the Sophos Central interface.  I have tried looking at the Sophos documentation, but most of the docs still reference the legacy based agent.  How can I enable the real-time scan for linux servers, "if" it is supported.



This thread was automatically locked due to age.
Parents
  • Hello ,

    Thank you for reaching out to Sophos community forum. The Legacy feature on-access scanning is currently not available in SSPL. It uses Runtime detection to provide ongoing protection based on behavioral detections done by the sensor. Sophos Protection for Linux is a next-generation product designed to block threats intelligently using advanced deep learning and machine learning technique. This allows Sophos to add an option to initiate an On-Demand scan from Sophos Central anytime when scanning is necessary.

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hello ,

    Thank you for your reply and your clarification for me, I greatly appreciate it.  For my clarification, the Runtime detection is akin to the legacy real-time scan, correct?  That would mean, if someone uploads a file to a Linux server, Sophos Protection for Linux Agent would scan the said file to validate it is ok and does not contain any malware and this would be done in real time?  Is there any deep dive tech doc that talks about how the Runtime detection operates that you are aware of and can share?  Thank you again for your clarification.

  • No, the runtime detection mainly focuses on the existing process which is running on the system and will base its detection method on behavioral detection done by the sensor. It’ll trigger when the file/application opens by checking its running process. Unlike real-time scanning, which will scan the newly uploaded file right on the spot upon received on the system. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hello, I don't get it, the old product had real-time protection and the new one doesn't ? How is it better ? If I upload a EICAR file on my server with the new protection it's not even blocked... Please explain

  • I agree, how would this method be considered better.  I just tried the EICAR file (uploaded it to my test server) and it did get flagged via the on-demand scan, but was not flagged otherwise.  Is the expectation that we schedule a scan all the time?  If the said malware became "active", then would it get flagged?

  • Hello all,

    what most vendors call(ed)  real-time  ( just-in-time  would arguably be more suitable) was termed  on-access  by Sophos. File open and file close-after-write triggered a scan. The major drawback of this method is that it needs a file in the first place. Once it missed some rogue item that when started (down)loaded and executed malware without writing to disk it was pretty much helpless. Therefore vendors augmented the RT scan with download scan and behaviour monitoring. The latter, although with a different technology, is the essential part of the run-time detection.

    how would this method be considered better.  I just tried the EICAR file (uploaded it to my test server)
    The key point is that RT scanning was never meant as a convenience for application developers that saves them using an API and programming scan requests. It wasn't good practice anyway. The application sees just an access error when it tries to read the file it thinks it has written. 

    Christian 

Reply
  • Hello all,

    what most vendors call(ed)  real-time  ( just-in-time  would arguably be more suitable) was termed  on-access  by Sophos. File open and file close-after-write triggered a scan. The major drawback of this method is that it needs a file in the first place. Once it missed some rogue item that when started (down)loaded and executed malware without writing to disk it was pretty much helpless. Therefore vendors augmented the RT scan with download scan and behaviour monitoring. The latter, although with a different technology, is the essential part of the run-time detection.

    how would this method be considered better.  I just tried the EICAR file (uploaded it to my test server)
    The key point is that RT scanning was never meant as a convenience for application developers that saves them using an API and programming scan requests. It wasn't good practice anyway. The application sees just an access error when it tries to read the file it thinks it has written. 

    Christian 

Children