Unknown symbol __module_address on Amazon Linux 2, 4.14.238 kernel

[b-dean]

First ran into this with the ./SophosInstall.sh which was saying:

On-access scanning not available. It was not possible to obtain or build suitable kernel support.

After a bit of digging around I tried running the compile and load myself:

/opt/sophos-av/engine/talpa_select select
/opt/sophos-av/engine/talpa_select load

Which also fails when it tries to load the kernel module:

insmod: ERROR: could not insert module /opt/sophos-av/talpa/current/talpa_syscallhook.ko: Unknown symbol in module

Error: Failed to load module talpa_syscallhook
Traceback (most recent call last):
  File "talpa_select.py", line 2035, in _action
  File "talpa_select.py", line 910, in load
  File "talpa_select.py", line 836, in tryLoadModules
  File "talpa_select.py", line 774, in loadModule
SelectException: exc-load-failed

Looking in /var/log/messages it seems that the symbole it has trouble with is __module_address

kernel: talpa_syscallhook: Unknown symbol __module_address (err 0)

environment

• uname -a:

  Linux ip-1-2-3-4.example.com 4.14.238-182.421.amzn2.x86_64 #1 SMP Mon Jul 12 21:54:23 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

• gcc --version:

  gcc (GCC) 7.3.1 20180712 (Red Hat 7.3.1-13)
  Copyright (C) 2017 Free Software Foundation, Inc.
  This is free software; see the source for copying conditions.  There is NO
  warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

• Operating System:

  • Amazon Linux 2 v2.0.20210701.0
  • ami: ami-0233c2d874b811deb (us-east-2 ohio)

• Prereqs I've installed all yum updates and also kernel-devel, kernel-headers, gcc, make as the documented prereqs for compiling talpa.

• relevant output from dmesg | tail

  [  172.180022] talpa_syscallhook: loading out-of-tree module taints kernel.
  [  172.183115] talpa_syscallhook: module verification failed: signature and/or required key missing - tainting kernel
  [  172.187833] talpa_syscallhook: Unknown symbol __module_address (err 0)

Misc

I found this issue that mentions that in recent kernel versions __module_address is not exported. Seems like it might be the same problem: nbulischeck/tyton#33

talpa_select-output.txt talpaselect.log

[wolf0156]

Also chasing this issue. I just found https://community.sophos.com/free-antivirus-tools-for-desktops/f/discussions/103665/free-sophos-for-linux-9-is-not-comatible-with-opensuse-tumbleweed-since-kernel-update-to-4-17-x-old-4-16-x-runs-fine/377358#377358 which said use fanotify instead so https://support.sophos.com/support/s/article/KB-000034610?language=en_US says /opt/sophos-av/bin/savconfig set PreferFanotify true /opt/sophos-av/bin/savconfig set disableFanotify false systemctl restart sav-protect.service /opt/sophos-av/bin/savdstatus Sophos Anti-Virus is active and on-access scanning is running Hope this helps.

[paperclip]

If you are using a supported version of Sophos Anti-Virus, it would be best to contact Sophos, then we're be able to allocate some time to investigating this. If you are using Free SAV, I'd suggest using fanotify.

Edit: Just seen that you started with SophosInstall.sh, so are using Sophos Central. I'd suggest raising it as a query to Sophos Support, then we can get time allocated to investigate.

We saw a similar issue with a single Ubuntu 20.04 kernel, that was fixed in later kernels for 20.04.

[paperclip]

Should be fixed by e50a2f95aa55c024759b3867ffc1af7e3d8e82a3