multiple vendors AV on single user device

Hello fox,

while you can use as many products as you can get your hands on to perform on-demand (or scheduled) scans you should really use only one to perform on access scanning (Sophos refuses to install if it detects a competitor or even traces thereof) as not only performance suffers but they will interfere with and in the worst case block each other.

Sounds like a management requirement anyway. Assuming that the "device" is "on the net" and that the "live" (or on-access as it's called here) scanner fails to identify a threat and it creeps in, an on-demand scan will probably come too late (although it might help cleaning up the mess).

You only want to run the command line scanner you can do so from a network drive. No need to install, it won't refuse to run and it is kept up do date by the computer hosting the share. All this of course assuming the "device" is sufficiently clean.

this being called from a script after the first vendors sweep has executed

So what you have in mind is: use the first product's on-access scanning and also perform a (full) scan at regular intervals (daily? weekly? ...) and afterwards perform a scan with a second product? Or am I mistaken? Depending on the size of the disk(s) this might take quite some time.

Is the sophos signature digitally signed?

I'm sure I do not understand this question (or the underlying concerns) - could you explain?

Christian

hi Christian thanks for the reply

The device requires a second vendor to scan a certain folder on the  pc before it is permitted to write the data to a cd.  This is a fixed requirement to allow export of data off the network.

I have to have a secondary av client.  Avira told me they could do it but their command line client cannot check or pull down signature updates you can only push them to the desktop which I want to avoid.

In an ideal world the user clicks go on the folder they want to export.  The primary av app checks it central server to check if its up to date then scans the users folder (that is working now).  If successful the 2nd av client which is a command line tool scans the folder but only after it has also checked if its up to date, if the scan is clean the user is permitted to write to the cd and take  data offline.  This is the issue as avira say we can only keep the command line client up to date manually by pushing signature updates each day to the desktops, this would require us to use our patch management tool for the job rather than the vendors technology, we cannot do this.

Can sophos provide a pure command line av client which can exist with the primary windows gui av client of another vendor as a secondary check.  If so how do we keep the sophos av command line client up to date using a pull technique even if it is from a simple NTFS file share or something from a command line switch.

much appreciated

fox 

I see. With a few more details it makes much more sense. Can't and won't speak for Sophos - guess some kind soul will tell you whom to contact - I'm just adding my two cents as usual. 

What I suggested is that you run the command line scanner from a network share which is kept up to date by the share's host. This might not be sufficient for your needs as the update might have failed on this machine but since you said using a pull technique even if it is from a simple NTFS file share this might be an option.

To update the IDEs (signatures as you call it) using a script is possible but not the recommended way.

Also, reading Sophos Anti-Virus for Windows 2000+: significant files and registry entries gives the impression that it is possible to install Sophos when a competitor is present. You'd then disable on-access checking (although it'd be a shame :smileywink:) and only use the command line scanner. The question remains how you could check from the script whether the update has been successful.

Christian

Yep, Christian is right, but it doesn't need to script.

You could have a "designated running Sophos" machine, that has the full AV client on it (Autoupdate, AV, RMS?, running up to date, etc) and then just share out the c:\program files\sophos directory, run sav32cli.exe with some parameters from there.

It seems to take a bit (im guessing its copying the .ide and .vdl files over the network, it needs to load them locally in order to scan) but it does work, and you're not needing to use some bodgy script to do ad-hoc updating.

And as far as the signed question goes, all binaries, executables, dll's etc are digially signed.

The updates themselves are also verified by the engine as they are loading to make sure they haven't been tinkered with, or corrupted in transit.

cheers ak, great info

The problem I have is using the command line engine from a share of some sort across the network will not be allowed.  Not least  because of the network traffic but also because of the fact these tasks have to run locally on the desktop where the security client software is installed and audited against the user and machine name.

I think a crappy script is my only choice .

Hello again,

sounds like a small misunderstanding - what you'd run is \\Server\SAVShare\sav32cli.exe -whatever options. Of course the executable runs locally and for all practical purposes it is identical to running it from a local folder. Another simple option: you can copy the contents of the share to a local folder once and update it's contents before running the scanner. No complex script needed.

For more information on the scanner and it's options search support for sav32cli.

HTH

Christian

Commandline only with independant updates? A2USB (aka portable)!

update:

"%~dp0a2cmd" /u

scan and output:

"%~dp0a2cmd" /deep /m /t /h /r /a /n /q=C:\YourA2Path /l=C:\YourA2Path\YourLogFolder\a2log.txt

"%~dp0a2cmd" /ql