Linux Server - can it detect more?

I have installed Sophos Antivirus for Linux on a Debian machine.

Using it for on demand scanning of email messages, it works when I push EICAR test virus through it.

I have a large collection of virus infected messages, when testing those it only detects about 50% of them.

I have confirmed that the system is running the latest definition files, following these instructions.

One could argue that Sophos does not know about the specific viruses yet, especially if they are new.

HOWEVER, if I test the messages with VirusTotal their system will detect the virus infection and it states that found by Sophos AV.

If I have the latest data files, how can I get my install to operate as well as VirusTotal is performing?

I have confirmed that I have the system set to scan compressed files, what else can I do?

  • I continue to test this software to see what is going on.

    From my testing I have seen it detects viruses in files with .html and  .pdf extensions successfully.

    It does not find any infections in .doc files even though I know  they are infected.

  • Hi, 

     

    savscan only scans files with an extension that the virus data thinks can be infected, vs. on-access scans which scan all file names.

     

    Archive setting is independent between savscan (on-demand) and on-access scanning.

     

    Please try:

    savscan -archive -all <rest of args>

     

    to ensure that we are scanning the files specified.

    It's also possible that the malware being detected is counted as a PUA or suspicious file - in which case the -pua or -suspicious options might be required.

     

    Thanks,

    Douglas.

  • In reply to DouglasLeeder:

    Douglas, thanks for the info.  Very enlightening.

    We are actually using SSSP to access the on-demand scanning.  Where/how do you configure the preferences for that service?

     

    savscan is the command-line on-demand scanner.

  • In reply to Gunsuka:

    Hi,

    Sorry, I don't know anything much about the SSSP API or savdi. I think you'll have to contact support and get official help.

    Thanks,

    Douglas.

  • In reply to Gunsuka:

    This document may help when configuring SAVi

    https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SAVDI-User-Manual.pdf 

    Please have a look at this - otherwise as Douglas says please contact our support team - link is in the bottom right of this page

  • In reply to MarkToshack:

    I found  some interesting results today.  To clarify what we are doing.

    We are using SSSP and submitting raw email messages, these messages contain attachments as part of the email.

    When we feed the raw messages to SSSP it is successful in detecting infected viruses in attachments that are .pdf and .html, so we know it is reading the message content and successfully decoding the files that exist in the message.  It will actually feed back the temp filenames it is creating when it decodes the attachments from the message, which is great.

    The problem is, the system is not detecting the viruses in .doc files that we have been testing and know are infected.

    Today we conducted the same scanning tests, by placing the messages on disk and scanning them with SAVDID command line scanning.

    The results were the same, the system misses the viruses if they are .doc files.

    If we decode the .doc file and place it on disk, then request savdid to scan it the virus is found.

    Either we have something configured incorrectly or the scanner is not working correctly, since we know the viruses are there but the conditions have to be just right for them to be found.  Seems like a fairly serious security issue.

  • really helped :)...///

  • In reply to Gunsuka:

    Hi  

    sorry for the lete reply - i did not get a notification for this thread. 

    Please can you contact support, if you have not already, and we can look into it for you.

     

    cheers

    Mark