MailScanner / v5

MailScanner v5
GNU General Public License v2.0
187 stars 60 forks source link

support of new sophos central linux server protection #657

Open Beleggrodion opened 1 year ago

Beleggrodion commented 1 year ago

Hi,

As perhaps already known, the "on-premise" version of sophos av scanner reaches end of life on the 20 july 2023. The sale of the on premise "sophos endpoint protection" was already stopped in the june 2020. So new sophos customers and also customers who still want to use sophos need to use the cloud solution "sophos central".

Currently it's still possible to download a modified version of the classic sophos "sophos anti-virus for linux (legacy) in sophos central dashboard, but also this client reaches eol on the 20 july 2023. After that only the "server protection for linux" can be used.

This sophos client has a simple bash installer (with specific customer parameters) which install all the stuff under different paths as the old version. So the new main path is /opt/sophos-spl and the new cli interface is under /usr/local/bin/avscanner which points to /opt/sophos-spl/plugins/av/bin/avscanner

Example below how it looks in the cli now:

[root@server ~] avscanner /tmp/eicar.com

[15:14:27] Logger av configured for level: INFO

[15:14:27] Archive scanning enabled: no
[15:14:27] Image scanning enabled: no
[15:14:27] Following symlinks: no
[15:14:27] Scanning /tmp/eicar.com
[15:14:33] Detected "/tmp/eicar.com" is infected with EICAR-AV-Test (On Demand)
[15:14:33] End of Scan Summary:
[15:14:33] 1 file scanned in 6 seconds.
[15:14:33] 1 file out of 1 was infected.
[15:14:33] 1 EICAR-AV-Test infection discovered.

This also will be automatically reported to the customers sophos central dashboard.

sophos_central_portal1

Currently i don't find a solution to prevent this, so a mailserver with mailscanner which had a heavy load the log coul'd be flooded with messages. The cli command is more described under: https://support.sophos.com/support/s/article/KB-000042433?language=en_US

Also the affected file is moved into a private sophos quarantine and it's not possible to leave the file on current path, so ex. quarantine management with mailwatch for release the quarantine items is not possible i think.

As mentioned in the community forum of sophos, if avscanner is started the virus definitions are keept in the memory for around a hour if no additional scan is be done.

So the question for me is now, is it possible to add support for the new sophos client with some limitations? Or because no one asked for this at the moment (i don't see some similar feature request) most people use now mailscanner only with clamav?

github-actions[bot] commented 1 year ago

Thank you for submitting your first issue to MailScanner! We will respond to you soon!

palmssl commented 1 year ago

Is MailScanner intending to support avscanner (in server protection for linux)? Do you have a timescale for this? (Savscan goes EOL in 3 weeks...)

chenjeff622 commented 6 months ago

same problem of mine too. does it have any news?

shawniverson commented 6 months ago

Someone that has access to this scanner is welcome to contribute to this project. Unless I can somehow get my hands on this commercial scanner, I am unable to write and test the wrapper code.