Add support for new Sophos Protection for Linux on @av_scanners_backup
Sophos Anti-Virus for Linux (Legacy) go End of Life at 20 July 2023.
This implies that both:
-
'Sophos-SSSP', # SAV Dynamic Interface
from the @av_scanners section; -
'Sophos Anti Virus (savscan)', # formerly known as 'sweep'
from the @av_scanners_backup section
will no longer be able to benefit from a database with updated signatures.
Fortunately, considering that Sophos is the only antivirus that can be installed without the need for .deb or .rpm installation packages (and therefore distributions that support these packages), there is a replacement Sophos Protection for Linux (SPL), managed by Sophos Central.
Sophos Anti-Virus Dynamic Interface (SAVDI) which also includes Sophos-SSSP (Sophos Simple Scanning Protocol) can be configured quite simply to work with Sophos Protection for Linux as only 2 symbolic links are needed, one for libsavi.so.3 and the other for the location of the virus definitions folder. No changes are necessary in Amavis.
In the case of scans with the new utility avscanner (command line full file scanner) small adjustments are needed. The proposed configuration involves adding this code to @av_scanners_backup after the Sophos Anti Virus (savscan) section.
### https://www.sophos.com/
['Sophos Protection for Linux (avscanner)', # Anti-Virus plugin
['/opt/sophos-spl/plugins/av/bin/avscanner', 'avscanner'], # 'avscanner'
'-a {}',
[0,2], qr/Detected .*? is infected/m,
qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
],
Usage example
avscanner -a eicar/
[16:13:26] Logger av configured for level: INFO
[16:13:26] Archive scanning enabled: yes
[16:13:26] Image scanning enabled: no
[16:13:26] Following symlinks: no
[16:13:26] Scanning /tmp/eicar/eicar.com.txt
[16:13:27] Detected "/tmp/eicar/eicar.com.txt" is infected with EICAR-AV-Test
[16:13:27] Scanning /tmp/eicar/eicar_com.zip
[16:13:27] Detected "/tmp/eicar/eicar_com.zip/eicar.com" is infected with EICAR-AV-Test
[16:13:27] Scanning /tmp/eicar/eicarcom2.zip
[16:13:27] Detected "/tmp/eicar/eicarcom2.zip/eicar_com.zip/eicar.com" is infected with EICAR-AV-Test
[16:13:27] Scanning /tmp/eicar/eicar.com
[16:13:27] Detected "/tmp/eicar/eicar.com" is infected with EICAR-AV-Test
[16:13:27] End of Scan Summary:
[16:13:27] 4 files scanned in 1 second.
[16:13:27] 4 files out of 4 were infected.
[16:13:27] 4 EICAR-AV-Test infections discovered.