Sophos Protection for Linux ral-time scan is disabled, set to "No"

Hello Kapildev Khemraj,

Thank you for reaching out to Sophos community forum. The Legacy feature on-access scanning is currently not available in SSPL. It uses Runtime detection to provide ongoing protection based on behavioral detections done by the sensor. Sophos Protection for Linux is a next-generation product designed to block threats intelligently using advanced deep learning and machine learning technique. This allows Sophos to add an option to initiate an On-Demand scan from Sophos Central anytime when scanning is necessary.

Hello GlennSen,

Thank you for your reply and your clarification for me, I greatly appreciate it.  For my clarification, the Runtime detection is akin to the legacy real-time scan, correct?  That would mean, if someone uploads a file to a Linux server, Sophos Protection for Linux Agent would scan the said file to validate it is ok and does not contain any malware and this would be done in real time?  Is there any deep dive tech doc that talks about how the Runtime detection operates that you are aware of and can share?  Thank you again for your clarification.

No, the runtime detection mainly focuses on the existing process which is running on the system and will base its detection method on behavioral detection done by the sensor. It’ll trigger when the file/application opens by checking its running process. Unlike real-time scanning, which will scan the newly uploaded file right on the spot upon received on the system. 

Hello, I don't get it, the old product had real-time protection and the new one doesn't ? How is it better ? If I upload a EICAR file on my server with the new protection it's not even blocked... Please explain

I agree, how would this method be considered better.  I just tried the EICAR file (uploaded it to my test server) and it did get flagged via the on-demand scan, but was not flagged otherwise.  Is the expectation that we schedule a scan all the time?  If the said malware became "active", then would it get flagged?

Hello all,

what most vendors call(ed)  real-time  ( just-in-time  would arguably be more suitable) was termed  on-access  by Sophos. File open and file close-after-write triggered a scan. The major drawback of this method is that it needs a file in the first place. Once it missed some rogue item that when started (down)loaded and executed malware without writing to disk it was pretty much helpless. Therefore vendors augmented the RT scan with download scan and behaviour monitoring. The latter, although with a different technology, is the essential part of the run-time detection.

how would this method be considered better.  I just tried the EICAR file (uploaded it to my test server)
The key point is that RT scanning was never meant as a convenience for application developers that saves them using an API and programming scan requests. It wasn't good practice anyway. The application sees just an access error when it tries to read the file it thinks it has written. 

Christian 

Hello, thank you for these informations, do you know how we can test the on-access protection on our servers then ?

Hello Léo Bailly,

there is no longer an on-access scanning in SSPL. The OP noticed that the REAL-TIME SCAN is disabled. This is because the Central-manged SAV for Linux 10.x still has it - but like the on-premise SAV9.x it'll be EOL July 2023. Guess the Central UI will be updated accordingly.

Again, on-access scanning is gone for good - there is nothing you can test.

Christian

Sorry I meant how do I test the runtime detection ?

Hello Léo Bailly,

well, guess (suspect) use of tools like nmap or SAINT might trigger at least a warning.  

Christian

Hello Léo Bailly,

well, guess (suspect) use of tools like nmap or SAINT might trigger at least a warning.  

Christian