support of new sophos central linux server protection

[Beleggrodion]

Hi,

As perhaps already known, the "on-premise" version of sophos av scanner reaches end of life on the 20 july 2023. The sale of the on premise "sophos endpoint protection" was already stopped in the june 2020. So new sophos customers and also customers who still want to use sophos need to use the cloud solution "sophos central".

Currently it's still possible to download a modified version of the classic sophos "sophos anti-virus for linux (legacy) in sophos central dashboard, but also this client reaches eol on the 20 july 2023. After that only the "server protection for linux" can be used.

This sophos client has a simple bash installer (with specific customer parameters) which install all the stuff under different paths as the old version. So the new main path is /opt/sophos-spl and the new cli interface is under /usr/local/bin/avscanner which points to /opt/sophos-spl/plugins/av/bin/avscanner

Example below how it looks in the cli now:

[root@server ~] avscanner /tmp/eicar.com

[15:14:27] Logger av configured for level: INFO

[15:14:27] Archive scanning enabled: no
[15:14:27] Image scanning enabled: no
[15:14:27] Following symlinks: no
[15:14:27] Scanning /tmp/eicar.com
[15:14:33] Detected "/tmp/eicar.com" is infected with EICAR-AV-Test (On Demand)
[15:14:33] End of Scan Summary:
[15:14:33] 1 file scanned in 6 seconds.
[15:14:33] 1 file out of 1 was infected.
[15:14:33] 1 EICAR-AV-Test infection discovered.

This also will be automatically reported to the customers sophos central dashboard.

Currently i don't find a solution to prevent this, so a mailserver with mailscanner which had a heavy load the log coul'd be flooded with messages. The cli command is more described under: https://support.sophos.com/support/s/article/KB-000042433?language=en_US

Also the affected file is moved into a private sophos quarantine and it's not possible to leave the file on current path, so ex. quarantine management with mailwatch for release the quarantine items is not possible i think.

As mentioned in the community forum of sophos, if avscanner is started the virus definitions are keept in the memory for around a hour if no additional scan is be done.

So the question for me is now, is it possible to add support for the new sophos client with some limitations? Or because no one asked for this at the moment (i don't see some similar feature request) most people use now mailscanner only with clamav?

[github-actions]

Thank you for submitting your first issue to MailScanner! We will respond to you soon!

[palmssl]

Is MailScanner intending to support avscanner (in server protection for linux)? Do you have a timescale for this? (Savscan goes EOL in 3 weeks...)

[chenjeff622]

same problem of mine too. does it have any news?

Someone that has access to this scanner is welcome to contribute to this project. Unless I can somehow get my hands on this commercial scanner, I am unable to write and test the wrapper code.

[frankuit]

@shawniverson I have access to this scanner, and i think i can provide you with 1 download to debug/ create the wrapper code if needed. If you already have something and want it tested, i can install and test it for you.

@frankuit Any help you can provide would be greatly appreciated. The wrapper is yet to be created.