Sophos Anti-Virus for Unix comes in a couple of flavors. There are supported versions for several operating systems, including: AIX, Digital Unix, FreeBSD, HP-UX, Linux, SCO Open Server, SCO Unixware and Solaris. The test system for this installation is Red Hat Linux 7.2. As for Linux installations there are two different packages:
- Linux on Alpha
- Linux on Intel using libc5
- Linux on Intel using libc6
Most of the newly released versions of popular Linux distributions come with libc6, but if you really need to double check which libraries your system has do a quick 'ls /lib/libc.so.*'. That will obviously show you if you have libc5 or libc6.
The first step is to move the the appropriate package from Sophos's CD-ROM into your /tmp directory. The file in use for this test is linux.intel.libc6.tar. Unpacking the archive shouldn't be a problem:
[root@localhost tmp]# tar -xvf linux.intel.libc6.tar
Here's a brief description of the files extracted from the Sophos Anti Virus archive:
install.sh -> installation script needed for the package installing
vdl-3.57.dat -> actual virus signatures (version 3.57, CD ROM dated May 2002)
Readunix.txt and Install.txt -> Sophos Anti-Virus for Unix Installation Notes
checkd.1 and checkd.conf.5 -> manual for InterCheck and checkd.conf
sweep.1 -> manual for Sophos Sweep
icheckd -> InterCheck binary
ibsavi.so.2.2.03.095 -> Sophos Anti-Virus shared library
Before installation you must see if you would like to install an InterCheck Server. The difference is that if you need InterCheck, it would be nice to create a new user and a group (Sophos suggests sweep:sweep). The reason for this is that when the InterCheck Server runs, it will attempt to change user and group IDs so that it is running as user and group sweep. In this review we will look on Sophos Anti-Virus for Unix as a standalone Linux desktop anti virus solution not as a possible combination with a Windows 95/98/ME clients. Information on this kind of system can be found in "Unix with Windows 95/98/Me clients" manual located on Sophos' documentation pages linked in the references section.
By executing install.sh script in the sav-install directory, installation procedure starts. Optionally, ./install.sh -h gives you to choose in what directories you would like to install Sophos Anti-Virus. Defaults are:
Binaries in /usr/local/bin
Shared library in /usr/local/lib
Virus data and identities in /usr/local/sav
Manual pages in /usr/local/man (Figure 1 - man entry)
./install -h also gives the following possibilities:
-i [dir] InterCheck directory (defaults to /var/spool/intercheck or the ROOTDIRECTORY given in /etc/icheckd.conf, if that exists)
-ni Do not install InterCheck
-ssi Stop & start InterCheck server after installation
-nssi Do not stop & start InterCheck (default)
-idc Install InterCheck for diskless clients
-nidc Do not install InterCheck for diskless clients (default)
-rm Remove old libraries and virus data files (default)
-nrm Do not remove old libraries and virus data files
OK, now when we saw all the options and agreed with ourselves where would we place the Sophos Anti-Virus files, we can start with the actual installation.
[root@localhost sav-install]# ./install.sh
Sophos Anti-Virus installation utility [Linux/Intel]
Copyright (c) 1998,2001 Sophos Plc, Oxford, England
Error: Could not find 'ldconfig' in path.
Very quickly we encounter the first error. According to the man entry for the ldconfig, it is used for configuring dynamic linker run-time bindings. On this system the path to ldconfig is /sbin/ldconfig so the easy solution would be to create a link for ldconfig in the /usr/bin directory. This can be easily done with:
[root@localhost bin]# ln -s /sbin/ldconfig ldconfig
After making ldconfig available in the path, executing the install.sh script gives a command prompt, which means it was successfully installed.
Sophos Anti-Virus configuration file resides in /etc/sav.conf. Its default value is:
SAV virus data directory = /usr/local/sav
According to Sophos documentation, another option is supported - "SAV temp directory". This string should consist the path value of the directory when archives will be temporary extracted, so Sophos Anti-Virus can scan their content. So second line gets added to the sav.conf file:
SAV temp directory = /tmp/sophos
Configuration is done - you can now use Sophos Anti-Virus on your Linux machine.
Updating virus identities
Before we start using our freshly installed Sophos Anti-Virus for Unix, downloading the latest virus signatures would be a good step.
Sophos web site, which is neatly categorized has a download area for all the latest virus identites (IDE) that can be downloaded in two ways:
- separate IDE files for the latest added viruses
- all the latest viruses zipped in an archive
Also there is another categorization of the IDE archives when you are downloading them from Sophos web site: by Sophos Anti-Virus Build. The version we played with is titled 3.57 May 2002, so we need to download few zipped archives to get in the state were current 3.60 August 2002 version is. The downloaded files should go to /usr/local/sav/ directory. (Take a look at Figure 2)
Using Sophos Anti-Virus is simple and both help (--help) and man (man sweep) entries will give you all the information you need. In this test case we are scanning /tmp/savitest directory and available archives in that directory. This is the usual Sophos Anti-Virus for Unix output:
[root@localhost sav]# sweep -f -dn -archive /tmp/savitest
SWEEP virus detection utility
Version 3.57, May 2002 [Linux/Intel]
Includes detection for 73553 viruses, trojans and worms
Copyright (c) 1989,2002 Sophos Plc, www.sophos.com
System time 16:00:51, System date 20 August 2002
Command line qualifiers are: -f -archive
>>> Virus 'Troj/Vbswg-150B' found in file /tmp/savitest/Vbswg.exe
>>> Virus 'VBS/Lovelet-DN' found in file /tmp/savitest/I-Worm.LoveLetter.dn.zip/I-Worm.Loveletter.dn/Ia?aoee.htm
>>> Virus 'Troj/Vbswg-150B' found in file /tmp/savitest/vbswg150b.zip/Vbswg.exe
5 files swept in 0 seconds.
3 viruses were discovered.
3 files out of 5 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email email@example.com
or telephone +44 1235 559933
End of Sweep.
Also, take a look at Figure 3 that shows boot sector scanning.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.