Discussion:
ClamAV and Sophos
(too old to reply)
Dino Edwards
2016-03-22 10:00:23 UTC
Permalink
I'm trying to figure out how to integrate Sophos with amavis in addition to clamav in Ubuntu. I'm a little confused on how to go about integrating it. As I understand, I need to download and install the following:

Sophos Antivirus for Linux 9.1

Then I need to enter an entry like below in my amavis config?

### http://www.sophos.com/
['Sophos Anti Virus (savscan)', # formerly known as 'sweep'
['/opt/sophos-av/bin/savscan', 'savscan'], # 'sweep'
'-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
'--no-reset-atime {}',
[0,2], qr/Virus .*? found/m,
qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
],

Do I also need to install SAV Dynamic interface 2.2 from Sophos?

Does anyone have a definitive guide on how to get this going?

Thanks

Dino
Nuno Fernandes
2016-03-22 14:06:46 UTC
Permalink
Post by Dino Edwards
I'm trying to figure out how to integrate Sophos with amavis in addition to
clamav in Ubuntu.
I'm also using this scenario but with Centos. So it should be somewhat the
same.
Post by Dino Edwards
I'm a little confused on how to go about integrating it.
Sophos Antivirus for Linux 9.1
Then I need to enter an entry like below in my amavis config?
### http://www.sophos.com/
['Sophos Anti Virus (savscan)', # formerly known as 'sweep'
['/opt/sophos-av/bin/savscan', 'savscan'], # 'sweep'
'-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
'--no-reset-atime {}',
[0,2], qr/Virus .*? found/m,
qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
],
With this configuration you will be calling the antivirus at each mail. It will
load all the virus definitions, scan the file and then exit. It will be slow.

I use the daemon version where a daemon starts, loads the virus database and
then listen for incoming scan request. You can do that with either:

- Sophos-SSSP daemon - it's a daemon that comes with the sophos install files
- Sophie - an opensource daemon

I tested the first one and had a few problems and then reverted back to sophie:

Here is my conf:

['Sophie',
\&ask_daemon, ["{}/\n", '/tmp/sophie.sock'], # was: sophie:/var/run/sophie
#\&ask_daemon, ["{}/\n", '/var/spool/qmailscan/run/sophie'], # was:
sophie:/var/run/sophie
qr/(?x)^ 0+ ( : | [\000\r\n]* $)/, qr/(?x)^ 1 ( : | [\000\r\n]* $)/,
qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ], #no /m on old cfg
Post by Dino Edwards
Do I also need to install SAV Dynamic interface 2.2 from Sophos?
Don't know for sure.
Post by Dino Edwards
Does anyone have a definitive guide on how to get this going?
I've create our own internal RPMs for centos for sophos and savi. So for us is
just a matter of installing the rpms, register the sophos and changing the
amavisd.conf.
From sophos the only file that we require is sav-linux-9-i386.tgz (don't know
why it is named i386).

Hope it helps.

Best regards,
Nuno Fernandes

Loading...