Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 3 subscribers
  • Views 2575 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Linux Free - logging help required

Norm Cook1

Product installed successfully but logs are very sparse.  I have an IMAP client (thunderbird) and I sent the EICAR test to a mailbox.  The virus is removed from the email, but nothing appears in the logs at all.  This is the message in the actual email, so I know it is being removed.

Sophos Anti-Virus reports a virus
in the following message:
----------------------
From:<removed by me>
To: <removed by me>
Date: 2016-12-19 11:33:21


Virus Name(s): 'Eicar-Test-Signature,'
Attachment Name(s): 
----------------------


From all the documentation i've found i would expect the event to have been logged in savd.log or savd-protect.log and viewable by savlog, but these are devoid of an mention that a virus was discovered.
Ideally, i'd like the logs to go to a syslog server, but there is no mention of how to set this up in the documentation.


This thread was automatically locked due to age.
Parents
  • 0

    Hello Norm Cook1,

    The virus is removed from the email
    not sure where the pasted text is from. AFAIK Sophos Endpoint does not interact with applications, it scans in response to and blocks file access - thus it might prevent opening (or saving) an attachment but it wouldn't remove it from a message (let alone placing some text). Looks like the attachment has already been removed on the server - this would explain that the logs don't show a detection.

    Christian 

Reply
  • 0

    Hello Norm Cook1,

    The virus is removed from the email
    not sure where the pasted text is from. AFAIK Sophos Endpoint does not interact with applications, it scans in response to and blocks file access - thus it might prevent opening (or saving) an attachment but it wouldn't remove it from a message (let alone placing some text). Looks like the attachment has already been removed on the server - this would explain that the logs don't show a detection.

    Christian 

Children
  • 0 in reply to QC

    Detection was happening on the Sophos XG firewall and the infection removed prior to getting to the host.  My bad.  Earlier testing with the firewall did not remove infected attachments so I assumed it was the linux client doing so.  Client AV detects when saving the infected file to disk, but does not detect it in the email client itself.  working well enough for my purposes.

Unfiltered HTML