Sophos Anti-Virus for Unix
by Berislav Kucan - Tuesday, 20 August 2002.
We have a few different Anti Virus software products here in our office that are waiting to be reviewed. All of them, except the product we are talking about in this review, are intended for Windows users. As I personally checked some anti virus solutions for my Linux desktop computer, let's start the HNS anti virus reviews bonanza with Sophos' trip to protecting Linux users. As a standard disclaimer, we didn't do rigorous testing of this product, but just reviewed its functionality with main aspects focused on installation, configuration and usage.

Sophos Anti-Virus for Unix comes in a couple of flavors. There are supported versions for several operating systems, including: AIX, Digital Unix, FreeBSD, HP-UX, Linux, SCO Open Server, SCO Unixware and Solaris. The test system for this installation is Red Hat Linux 7.2. As for Linux installations there are two different packages:

- Linux on Alpha
- Linux on Intel using libc5
- Linux on Intel using libc6

Most of the newly released versions of popular Linux distributions come with libc6, but if you really need to double check which libraries your system has do a quick 'ls /lib/libc.so.*'. That will obviously show you if you have libc5 or libc6.

Pre-Installation

The first step is to move the the appropriate package from Sophos's CD-ROM into your /tmp directory. The file in use for this test is linux.intel.libc6.tar. Unpacking the archive shouldn't be a problem:

[root@localhost tmp]# tar -xvf linux.intel.libc6.tar
sav-install/
sav-install/vdl-3.57.dat
sav-install/install.sh
sav-install/Readunix.txt
sav-install/Install.txt
sav-install/icheckd.1
sav-install/icheckd.conf.5
sav-install/sweep.1
sav-install/icheckd
sav-install/libsavi.so.2.2.03.095

Here's a brief description of the files extracted from the Sophos Anti Virus archive:



install.sh -> installation script needed for the package installing
vdl-3.57.dat -> actual virus signatures (version 3.57, CD ROM dated May 2002)
Readunix.txt and Install.txt -> Sophos Anti-Virus for Unix Installation Notes
checkd.1 and checkd.conf.5 -> manual for InterCheck and checkd.conf
sweep.1 -> manual for Sophos Sweep
icheckd -> InterCheck binary
ibsavi.so.2.2.03.095 -> Sophos Anti-Virus shared library



Before installation you must see if you would like to install an InterCheck Server. The difference is that if you need InterCheck, it would be nice to create a new user and a group (Sophos suggests sweep:sweep). The reason for this is that when the InterCheck Server runs, it will attempt to change user and group IDs so that it is running as user and group sweep. In this review we will look on Sophos Anti-Virus for Unix as a standalone Linux desktop anti virus solution not as a possible combination with a Windows 95/98/ME clients. Information on this kind of system can be found in "Unix with Windows 95/98/Me clients" manual located on Sophos' documentation pages linked in the references section.

By executing install.sh script in the sav-install directory, installation procedure starts. Optionally, ./install.sh -h gives you to choose in what directories you would like to install Sophos Anti-Virus. Defaults are:

Binaries in /usr/local/bin
Shared library in /usr/local/lib
Virus data and identities in /usr/local/sav
Manual pages in /usr/local/man (Figure 1 - man entry)

./install -h also gives the following possibilities:

-i [dir] InterCheck directory (defaults to /var/spool/intercheck or the ROOTDIRECTORY given in /etc/icheckd.conf, if that exists)
-ni Do not install InterCheck
-ssi Stop & start InterCheck server after installation
-nssi Do not stop & start InterCheck (default)
-idc Install InterCheck for diskless clients
-nidc Do not install InterCheck for diskless clients (default)
-rm Remove old libraries and virus data files (default)
-nrm Do not remove old libraries and virus data files

Actual installation

OK, now when we saw all the options and agreed with ourselves where would we place the Sophos Anti-Virus files, we can start with the actual installation.

[root@localhost sav-install]# ./install.sh
Sophos Anti-Virus installation utility [Linux/Intel]
Copyright (c) 1998,2001 Sophos Plc, Oxford, England

Error: Could not find 'ldconfig' in path.

Very quickly we encounter the first error. According to the man entry for the ldconfig, it is used for configuring dynamic linker run-time bindings. On this system the path to ldconfig is /sbin/ldconfig so the easy solution would be to create a link for ldconfig in the /usr/bin directory. This can be easily done with:

[root@localhost bin]# ln -s /sbin/ldconfig ldconfig

After making ldconfig available in the path, executing the install.sh script gives a command prompt, which means it was successfully installed.

Configuration

Sophos Anti-Virus configuration file resides in /etc/sav.conf. Its default value is:

SAV virus data directory = /usr/local/sav

According to Sophos documentation, another option is supported - "SAV temp directory". This string should consist the path value of the directory when archives will be temporary extracted, so Sophos Anti-Virus can scan their content. So second line gets added to the sav.conf file:

SAV temp directory = /tmp/sophos

Configuration is done - you can now use Sophos Anti-Virus on your Linux machine.

Updating virus identities

Before we start using our freshly installed Sophos Anti-Virus for Unix, downloading the latest virus signatures would be a good step.

Sophos web site, which is neatly categorized has a download area for all the latest virus identites (IDE) that can be downloaded in two ways:

- separate IDE files for the latest added viruses
- all the latest viruses zipped in an archive

Also there is another categorization of the IDE archives when you are downloading them from Sophos web site: by Sophos Anti-Virus Build. The version we played with is titled 3.57 May 2002, so we need to download few zipped archives to get in the state were current 3.60 August 2002 version is. The downloaded files should go to /usr/local/sav/ directory. (Take a look at Figure 2)

Practical usage

Using Sophos Anti-Virus is simple and both help (--help) and man (man sweep) entries will give you all the information you need. In this test case we are scanning /tmp/savitest directory and available archives in that directory. This is the usual Sophos Anti-Virus for Unix output:



[root@localhost sav]# sweep -f -dn -archive /tmp/savitest
SWEEP virus detection utility
Version 3.57, May 2002 [Linux/Intel]
Includes detection for 73553 viruses, trojans and worms
Copyright (c) 1989,2002 Sophos Plc, www.sophos.com

System time 16:00:51, System date 20 August 2002
Command line qualifiers are: -f -archive

Full Sweeping

>>> Virus 'Troj/Vbswg-150B' found in file /tmp/savitest/Vbswg.exe
>>> Virus 'VBS/Lovelet-DN' found in file /tmp/savitest/I-Worm.LoveLetter.dn.zip/I-Worm.Loveletter.dn/Ia?aoee.htm
>>> Virus 'Troj/Vbswg-150B' found in file /tmp/savitest/vbswg150b.zip/Vbswg.exe

5 files swept in 0 seconds.
3 viruses were discovered.
3 files out of 5 were infected.
Please send infected samples to Sophos for analysis.
For advice consult www.sophos.com, email support@sophos.com
or telephone +44 1235 559933
End of Sweep.



Also, take a look at Figure 3 that shows boot sector scanning.

References




Spotlight

Bash Shellshock bug: More attacks, more patches

Posted on 29 September 2014.  |  As vendors scramble to issue patches for the GNU Bash Shellshock bug and companies rush to implement them, attackers around the world are probing systems for the hole it opens.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Sep 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //