Solution for keeping an isolated linux machine with no network up to date

Hi, I've been looking for a while but it doesn't seem clear if everything we need is possible.


We need to be able to do the following:

  • Install Anti-Virus for Linux on an offline machine
  • Be able to get virus definition updates directly to that machine via USB
  • Update the Anti-Virus software offline via USB
  • Run on demand scans

The one part I can't find a clear solution for is updating the virus definitions. From what I've found it looks like we'd require an installation of the Anti-Virus on another machine that is connected to the internet and then we'd have to do the following:

  • Copy the updates from the internet connected machine under what looks like "/opt/sophos-av/update/cache/" to USB
  • Copy the files from USB to the offline machine
  • Configure savupdate to update from a local source
  • Run savupdate to update the definitions on demand

Is it possible to update the definitions this way?


  • Hi  

    Would you please confirm if you are managing the endpoint from Enterprise console? Also, please take a look at this Sophos Anti-Virus Linux configuration guide? You can check under the section to configure the update server. 

  • In reply to Shweta:

    Hi Shweta,


    We don't have a product yet and the testing I have done so far has been using the free version of SAV for Linux. We are looking for a solution to carry out on demand scans on an offline machine that we can also reasonably easily keep up to date.

    Section 13.5 about configuring the client to update is what I want, but is not clear on whether I can update from a local directory. Is this possible?

  • In reply to Callum Finnamore:


    The version configuration guide is Sophos Enterprise Console(SEC). In SEC, you have Sophos update manager as a component which is responsible to update the clients in your corporate network irrespective of the client operating system. The machine where Sophos update manager is installed should have internet, so it can download the update files and then client machines can fetch the data from the Sophos update manager to update them selves without internet connection.

    You can download the guide of the Sophos Enterprise console from here.

  • In reply to Jasmin:

    Hi Jasmin,

    It is not possible for the machine to have any network connectivity at all, so it will not be able to get updates directly from a Sophos Update Manager connected to the internet. To update this one machine we have to use a USB with updates on. Is it possible to copy the virus definition updates from a SUM component to USB and then to the machine?


  • Hello Callum Finnamore,

    the mechanism for updating software and the one for virus definitions is the same. You need a machine with the same platform (Linux in your case) that updates from Sophos. The reason is that the downloader verifies the completeness and consistency of the source as a whole. You copy the Cache or Warehouse, if you have a SEC/SUM you use a copy of the CID,
    I can't test right now but AFAIK you can use a local path (in addition to HTTP and UNC/SMB) as update source.

    Just curious: What's the purpose of the scheduled scans? What should they scan?


  • In reply to Callum Finnamore:


    Seems to be you want to install the product in the airgap network, please refer to this article which procedure for the Airgap networks.

    Just a note, in airgap network, multiple features, policies will not work as the endpoint will not be able to communicate to SEC.

  • In reply to QC:

    Hi Christian,

    Thank you, that answer is what I needed. So long as I can update the machine locally from a copy of the necessary files from an internet connected machine running the same software, then this should work fine for us.


    As for the scans, we require on demand scans of removable media as part of our existing sheep dip process. The reason I needed to know how to update the definitions was to determine how easy it would be to update Sophos compared to our existing Anti Virus.

  • In reply to Callum Finnamore:

    Hello Callum Finnamore,

    sheep dip
    was my prime suspect.
    Please be aware that on Linux there is no On-Demand scan like the right-click scan on Windows, i.e. a  "spur-of-the-moment" scan that utilizes the already initialized engine (savscand). The command line savscan has a considerable overhead (I'm nevertheless talking about just a bunch of seconds here) that might or might not be acceptable.