Learn about the Benefits of Multi-Factor Authentication (MFA) . Turn your MFA on now!
Information: Three minute survey on Exploring more ways to contact Sophos Technical Supportt. If you can spare the time, we would love your feedback!
We'd love to hear about it! Click here to go to the product suggestion community
I have been working on scripting installs of Sophos AV on Linux hosts. I have no issues with the supported platforms, but we have some Debian, some Scientific Linux, and some Fedora.
I was able to figure out what was needed on SciLinux, and Debian to get the Talpa to compile with the standard installer script from Sophos, but I can not get the same to work on any of the currently stable Fedora builds.
I found the sophos talpa source in gethub, and have gotten it to compile the binary packages. I can run /opt/sophos-av/engine/talpa_select select and it will look like its working, but no matter what I do afterwards, the real time scan engine does not start.
Current Output from Talpa Select:
[root@ITRS-505687645a engine]# ./talpa_select select[Talpa-select]Copyright 1989-2018 Sophos Limited. All rights reserved.Fri Jan 11 15:26:25 2019 GMTLinux distribution: [fedora]Product: [Fedora release 29 (Twenty Nine)]Kernel: [4.19.13-300.fc29.x86_64]Multiprocessor support enabled.Searching for source pack...Searching for suitable binary pack...Binary pack was created locally.Found suitable binary pack. Using: /opt/sophos-av/talpa/compiled/talpa-binpack-fedora-x86_64-4.19.13-300.fc29.x86_64-1smpsatdec29225428utc2018.tar.gz
I have tried to reboot, which does not enable the on-access scanning.
I have tried to run /opt/sophos-av/bin/savdctl enable, which does not enable the on-access scanning.
No matter which I do, whenever I run /opt/sophos-av/bin/savdstatus:
[root@ITRS-505687645a talpa]# /opt/sophos-av/bin/savdstatusSophos Anti-Virus is active but on-access scanning is not running
When looking into the logs, this appears to be the pertinent bit of information:
Fri 11 Jan 2019 07:46:01 AM CST: update.updated Updated to versions - SAV: 10.4.1, Engine: 3.74.2, Data: 5.58Fri 11 Jan 2019 07:46:01 AM CST: update.updated Successfully updated Sophos Anti-Virus from sdds:SOPHOSFri 11 Jan 2019 07:46:41 AM CST: talpa.startup Unable to load Talpa modules.Fri 11 Jan 2019 08:45:51 AM CST: update.check Successfully updated Sophos Anti-Virus from sdds:SOPHOSFri 11 Jan 2019 08:50:29 AM CST: talpa_select.compiled NOTE: You are running Sophos Anti-Virus on a kernel for which Sophos does not provide binary kernel modules. Therefore the kernel modules have been locally compiled. Please see KBA14377 for supported platforms and kernels.Fri 11 Jan 2019 08:50:32 AM CST: talpa_select Failed to load module talpa_syscallhookinsmod: ERROR: could not insert module /opt/sophos-av/talpa/current/talpa_syscallhook.ko: Permission denied
Fri 11 Jan 2019 08:50:32 AM CST: talpa.startup Unable to load Talpa modules.
Any help here would be useful. I feel like I am REALLY close to getting this running, but so far no luck.
Hey Greg Smith
Thanks for reaching out and my apologies regarding this inconvenience.
I'd advise to please raise a support case for this and provide me with your case ID so I can follow up accordingly.
In reply to FloSupport:
I tried a ticket submitted by one of our Security Staff here, the reply from Sophos was as follows:
"Thank you for contacting Sophos Technical Support! In regards to your query, Fedora Linux is not a supported distribution for Sophos AV. The following KB below will go over what distributions are supported:"
And then they replied with the same KB articles you just posted in your reply.
We tried Fanotify, which also did not work, we tried Talpa compile, and that didn't work at first, but the GITHUB version seems to compile as it has recent patches in it for the 4.18+ Kernels, but that won't launch or load.
In reply to Greg Smith:
So, the TALPA modules work, but only if you disable SELINUX on Fedora. You want to help me out with the step I am obviously missing?
I've reached out to our team for this, and will reply back with any response I receive.
I'm facing the same issue when trying to compile Fedora 29 Talpa modules. (kernel 4.19.15-300.fc29.x86_64)
The build error I get:
Building...Traceback (most recent call last): File "talpa_select.py", line 2035, in _action File "talpa_select.py", line 898, in load File "talpa_select.py", line 664, in select File "talpa_select.py", line 1555, in select File "talpa_select.py", line 1639, in build File "talpa_select.py", line 1792, in __try_buildSelectException: exc-build-failed
Has this something to do with Python3?
Disabling SElinux doesn't solve the problem.
In reply to burn:
perhaps DouglasLeeder has some advice.
In reply to QC:
The most obvious question: are you using github talpa, via the autodeploy.sh - https://gist.github.com/paperclip/7892031
The version of Talpa that is included with Sophos Anti-Virus for Linux doesn't support Kernel 4.19.
If you are using the github version of Talpa, then the build.log file should give more information about what has failed to build.
Looking at https://bugzilla.redhat.com/show_bug.cgi?id=1426741
It looks like selinux enforcing mode may prevent some module loading. I'm afraid, since Fedora isn't on our supported list, we can't look into this in any more detail, but it might be possible for you to create rules to allow talpa_select to load kernel modules.
As a first step it might be worth checking the selinux logs to see what is getting blocked.
In reply to DouglasLeeder:
I can confirm, if you use the github version of Talpa, it will compile on Fedora, BUT, it will not load the kernel modules as the newest profiles in SELinux do not allow the loading.
After you have compiled the module from github (https://github.com/sophos/talpa), and have tried to turn on the on-access scanning (# /opt/sophos-av/bin/savdctl enable), do the following:
**** WARNING -- This is what I did on Fedora 27, 28, 29. It might not work on your system -- WARNING ****
This will look at your SELinux Audit logs parsing it for recent insmod failures and build the policy info to add to the default targeted policy.
# ausearch -c insmod -r | audit2allow -M talpainsmod -p /etc/selinux/targeted/policy/policy.31
Once you have that new policy file, you need to add it to existing policy on the system.
# semodule - talpainsmod.pp
Then you just need to reboot the system and the talpa modules compiled before from Github should compile and allow Sophos to run.