This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do you Manual Compile Fedora 27/28/29 Talpa?

I have been working on scripting installs of Sophos AV on Linux hosts. I have no issues with the supported platforms, but we have some Debian, some Scientific Linux, and some Fedora.

I was able to figure out what was needed on SciLinux, and Debian to get the Talpa to compile with the standard installer script from Sophos, but I can not get the same to work on any of the currently stable Fedora builds.

 

I found the sophos talpa source in gethub, and have gotten it to compile the binary packages. I can run /opt/sophos-av/engine/talpa_select select and it will look like its working, but no matter what I do afterwards, the real time scan engine does not start.


Current Output from Talpa Select:

[root@ITRS-505687645a engine]# ./talpa_select select
[Talpa-select]
Copyright 1989-2018 Sophos Limited. All rights reserved.
Fri Jan 11 15:26:25 2019 GMT
Linux distribution: [fedora]
Product: [Fedora release 29 (Twenty Nine)]
Kernel: [4.19.13-300.fc29.x86_64]
Multiprocessor support enabled.
Searching for source pack...
Searching for suitable binary pack...
Binary pack was created locally.
Found suitable binary pack. Using: /opt/sophos-av/talpa/compiled/talpa-binpack-fedora-x86_64-4.19.13-300.fc29.x86_64-1smpsatdec29225428utc2018.tar.gz

I have tried to reboot, which does not enable the on-access scanning.

I have tried to run /opt/sophos-av/bin/savdctl enable, which does not enable the on-access scanning.

No matter which I do, whenever I run /opt/sophos-av/bin/savdstatus:

[root@ITRS-505687645a talpa]# /opt/sophos-av/bin/savdstatus
Sophos Anti-Virus is active but on-access scanning is not running

 

When looking into the logs, this appears to be the pertinent bit of information:

Fri 11 Jan 2019 07:46:01 AM CST: update.updated Updated to versions - SAV: 10.4.1, Engine: 3.74.2, Data: 5.58
Fri 11 Jan 2019 07:46:01 AM CST: update.updated Successfully updated Sophos Anti-Virus from sdds:SOPHOS
Fri 11 Jan 2019 07:46:41 AM CST: talpa.startup Unable to load Talpa modules.
Fri 11 Jan 2019 08:45:51 AM CST: update.check Successfully updated Sophos Anti-Virus from sdds:SOPHOS
Fri 11 Jan 2019 08:50:29 AM CST: talpa_select.compiled NOTE: You are running Sophos Anti-Virus on a kernel for which Sophos does not provide binary kernel modules. Therefore the kernel modules have been locally compiled. Please see KBA14377 for supported platforms and kernels.
Fri 11 Jan 2019 08:50:32 AM CST: talpa_select Failed to load module talpa_syscallhook
insmod: ERROR: could not insert module /opt/sophos-av/talpa/current/talpa_syscallhook.ko: Permission denied

Fri 11 Jan 2019 08:50:32 AM CST: talpa.startup Unable to load Talpa modules.

 

Any help here would be useful. I feel like I am REALLY close to getting this running, but so far no luck.



This thread was automatically locked due to age.
Parents Reply Children
  • I tried a ticket submitted by one of our Security Staff here, the reply from Sophos was as follows:

    "Thank you for contacting Sophos Technical Support!

    In regards to your query, Fedora Linux is not a supported distribution for Sophos AV. The following KB below will go over what distributions are supported:​"

    And then they replied with the same KB articles you just posted in your reply.

    We tried Fanotify, which also did not work, we tried Talpa compile, and that didn't work at first, but the GITHUB version seems to compile as it has recent patches in it for the 4.18+ Kernels, but that won't launch or load.

  • So, the TALPA modules work, but only if you disable SELINUX on Fedora. You want to help me out with the step I am obviously missing?

  • Hi Greg,

    I've reached out to our team for this, and will reply back with any response I receive.

    Regards,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi, 

    I'm facing the same issue when trying to compile Fedora 29 Talpa modules. (kernel 4.19.15-300.fc29.x86_64)

    The build error I get:

    Building...
    Traceback (most recent call last):
    File "talpa_select.py", line 2035, in _action
    File "talpa_select.py", line 898, in load
    File "talpa_select.py", line 664, in select
    File "talpa_select.py", line 1555, in select
    File "talpa_select.py", line 1639, in build
    File "talpa_select.py", line 1792, in __try_build
    SelectException: exc-build-failed

    Has this something to do with Python3?

    Disabling SElinux doesn't solve the problem.

    Kind regards,
    GT

  • Hello,

    perhaps has some advice.

    Christian

  • The most obvious question: are you using github talpa, via the autodeploy.sh - https://gist.github.com/paperclip/7892031

     

    The version of Talpa that is included with Sophos Anti-Virus for Linux doesn't support Kernel 4.19.

     

    If you are using the github version of Talpa, then the build.log file should give more information about what has failed to build.

  • Hi Greg,

     

    Looking at https://bugzilla.redhat.com/show_bug.cgi?id=1426741

    It looks like selinux enforcing mode may prevent some module loading. I'm afraid, since Fedora isn't on our supported list, we can't look into this in any more detail, but it might be possible for you to create rules to allow talpa_select to load kernel modules.

    As a first step it might be worth checking the selinux logs to see what is getting blocked.

    Thanks,

    Douglas.

  • I can confirm, if you use the github version of Talpa, it will compile on Fedora, BUT, it will not load the kernel modules as the newest profiles in SELinux do not allow the loading.

     

    After you have compiled the module from github (https://github.com/sophos/talpa), and have tried to turn on the on-access scanning (# /opt/sophos-av/bin/savdctl enable), do the following:

     **** WARNING -- This is what I did on Fedora 27, 28, 29. It might not work on your system -- WARNING ****

    This will look at your SELinux Audit logs parsing it for recent insmod failures and build the policy info to add to the default targeted policy.

    # ausearch -c insmod -r | audit2allow -M talpainsmod -p /etc/selinux/targeted/policy/policy.31

      

    Once you have that new policy file, you need to add it to existing policy on the system.

    # semodule - talpainsmod.pp

     

    Then you just need to reboot the system and the talpa modules compiled before from Github should compile and allow Sophos to run.