Integrate Sophos Antivirus with Amavis

Ubuntu Linux Specific Guides
Post Reply
User avatar
dedwards
Site Admin
Posts: 70
Joined: Wed Mar 15, 2006 8:28 pm
Contact:

Integrate Sophos Antivirus with Amavis

Post by dedwards » Fri Mar 25, 2016 8:10 am

This guide will walk you through installing, configuring and integrating Sophos Antivirus for Linux with Amavis to be used in conjunction with ClamAV. This guide assumes that you have an already working installation of Amavis with Postfix or another MTA on Ubuntu. This was tested on Ubuntu 12.04 LTS but I don't see why it wouldn't work in later versions.

1. Install Sophos Antivirus for Linux

First, download Sophos Antivirus for Linux from the link below. As of this writing, the file is named sav-linux-free-9.tgz.:
https://www.sophos.com/en-us/products/f ... linux.aspx

Extract the file:

Code: Select all

tar -xvzf sav-linux-free-9.tgz
This will create a sophos-av directory. Switch to that directory:

Code: Select all

cd sophos-av
Run install.sh and follow the default options to install Sophos:

Code: Select all

./install.sh
NOTE: When prompted for the type of auto-update you want, select Sophos
NOTE: When prompted for the version you want, select Free
NOTE: By default Sophos will update itself autoatically every 60-minutes as long as your server is connected to the Internet


Install SAVDI (Sophos Antivirus Dynamic Interface)

SAV Dynamic Interface will be used as the interface between Sophos Antivirus and Amavis using the SOPHIE protocol that Amavis already supports instead of the SPPP protocol that Amavis version 2.6.5 which comes with Ubuntu 12.04 LTS does not support.

Before you install SAV Dynamic Interface (SAVDI) on a server running Sophos Anti-Virus for Unix/Linux Version 9 you need to perform some additional steps before and after the install. First, you must create symbolic links for libsavi.so.3 and libssp.so.0. You need to create those links so that SAVDI can locate these libraries during installation.

32-bit Servers ONLY
If you are using a 32-bit version of Ubuntu you only need to create a link for libssp.so.0 since the link for libsavi.so.3 is already created when you install Sophos Antivirus 9. Issue the following command:

Code: Select all

ln -s /opt/sophos-av/lib/libssp.so.0 /usr/local/lib/libssp.so.0
Note: If you have installed Sophos Anti-Virus to a non-default location then change the source path to this location.

64-bit Servers ONLY
If you are using a 64-bit version of Ubuntu, you need to create links for both libssp.so.0 and libsavi.so.3 as follows:

Code: Select all

ln -s /opt/sophos-av/lib64/libsavi.so.3 /usr/local/lib/libsavi.so.3
ln -s /opt/sophos-av/lib64/libssp.so.0 /usr/local/lib/libssp.so.0
Note: If you have installed Sophos Anti-Virus to a non-default location then change the source path to this location.

Now it's time to install SAVDI. Download SAVDI from https://www.sophos.com/en-us/support/do ... rface.aspx. Please note that you must have a Sophos username and password in order to dowload it.

Extract the .tar file (As of this writing, SAVDI was version 2.3)

Code: Select all

tar -xvf savdi-23-linux-32bit.tar
This creates a savdi-install directory. Go to that directory:

Code: Select all

cd savdi-install
Run savdi_install.sh:

Code: Select all

./savdi_install.sh
After installation, you will get the following warning because the virus data is detected in a non-default directory, it's ok to ignore:

Code: Select all

Warning: Virus data found at /opt/sophos-av/lib/sav
Make a copy of /usr/local/savdi/savdid.conf file for backup just in case:

Code: Select all

cp /usr/local/savdi/savdid.conf /usr/local/savdi/savdid.backup
Edit /usr/local/savdi/savdid.conf:

Code: Select all

vi /usr/local/savdi/savdid.conf
Locate the below entries:

Code: Select all

#virusdatadir: /var/sav/vdbs
#idedir: /var/sav/vdbs
Change these to:

Code: Select all

virusdatadir: /opt/sophos-av/lib/sav
idedir: /opt/sophos-av/lib/sav
Note: The '#' comment character needs to be removed from each entry

Locate the following entry and delete everything underneath that line:

Code: Select all

# Define a IP channel for localhost
Next, insert the following underneath the above line:

Code: Select all

channel {
    commprotocol {
    type: UNIX
    socket: /var/run/savdid/savdid.sock
    user: amavis
    group: amavis
    requesttimeout: 120
    sendtimeout: 2
    recvtimeout: 5
    }

    scanprotocol {
    type: SOPHIE
    allowscandir: SUBDIR
    maxscandata: 500000
    maxmemorysize: 250000
    tmpfilestub: /tmp/savid_tmp
    }

    scanner {
    type: SAVI
    inprocess: YES
    maxscantime: 3
    maxrequesttime: 10
    deny: /dev
    deny: /home
    savigrp: GrpArchiveUnpack 0
    savigrp: GrpInternet 1
    savists: Xml 1
    }
    }
Save the file

In order to start savdid on system startup, you must create a script in /etc/init.d/ directory:

Code: Select all

vi /etc/init.d/savdid
Enter the following in that file:

Code: Select all

#! /bin/sh
#
# savdid        /etc/init.d/ initscript for savdid
#
#
# How this thing works:
#   ${START} must be only what is needed for start-stop-daemon, DO NOT
#   ADD ANY PARAMETERS HERE!  we might use it for --test, for example.
#   ${STOP} works just like ${START}, --signal is used with it.
#
#   ${PARAMS} are the parameters to give the daemon when really starting
#   it.
### BEGIN INIT INFO
# Provides:          savdid
# Required-Start:    $syslog $network $local_fs $remote_fs
# Required-Stop:     $syslog $network $local_fs $remote_fs
# Should-Start:
# Should-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Starts savdid AntiVirus
# Description:       Launches the savdid AntiVirus daemon
### END INIT INFO

PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/bin/savdid
NAME=savdid
DAEMONNAME=savdid
DESC=savdid
PIDFILE=/var/run/savdid/${NAME}.pid

. /lib/lsb/init-functions

test -f ${DAEMON} || exit 0

set -e

START="--start --quiet --pidfile $PIDFILE --exec ${DAEMON}"
STOP="--stop --quiet --pidfile $PIDFILE"
PARAMS="-d"

case "$1" in
  start)
        echo -n "Starting $DESC: "
        mkdir -p /var/run/savdid
        if start-stop-daemon ${START} -- ${PARAMS} >/dev/null ; then
                echo "savdid."
        else
                if start-stop-daemon --test ${START} >/dev/null 2>&1; then
                        echo "(failed)."
                        exit 1
                else
                        echo "(already running)."
                        exit 0
                fi
        fi
        ;;
  stop)
        echo -n "Stopping $DESC: "
        if start-stop-daemon ${STOP} --retry 10 >/dev/null ; then
                echo "savdid."
        else
                if start-stop-daemon --test ${START} >/dev/null 2>&1; then
                        echo "(not running)."
                        exit 0
                else
                        echo "(failed)."
                        exit 1
                fi
        fi
        ;;
  restart|force-reload)
        $0 stop
        exec $0 start
        ;;
  status)
        status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
        ;;
  *)
        N=/etc/init.d/savdid
        echo "Usage: $N {start|stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac

exit 0

Save the file and make it executable:

Code: Select all

chmod +x /etc/init.d/savdid
Next, we need to make sure the service we just created will start during system startup. First, install chkconfig:

Code: Select all

apt-get install chkconfig
Next, run chkconfig savdid:

Code: Select all

chkconfig savdid
You should get the following output:

Code: Select all

savdid  off
So, we need to activate the savdid service. Run the following command:

Code: Select all

chkconfig savdid on
In my system, running the command above gave me the following error:

Code: Select all

/sbin/insserv: No such file or directory
This can be easily resolved by creating the following link:

Code: Select all

ln -s /usr/lib/insserv/insserv /sbin/insserv
and then run the "chkconfig savdid on" command again. After the command completes running, run the following command again:

Code: Select all

chkconfig savdid
Should output the following:

Code: Select all

savdid  on
Now, start the savdid service:

Code: Select all

service savdid start
Next, edit /etc/amavis/conf.d/15-av_scanners:

Code: Select all

vi /etc/amavis/conf.d/15-av_scanners
Locate the @av_scanners line, uncomment the 'Sophie' entry and make it look like below (Note how we point it to the savdid socket file with /var/run/savid/savdid.sock:

Code: Select all

['Sophie',
   \&ask_daemon, ["{}/\n", '/var/run/savdid/savdid.sock'],
   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
Save the file & Restart Amavis:

Code: Select all

service amavis restart
Look for the following lines in /var/log/mail.log:

Code: Select all

smtp amavis[5181]: Using primary internal av scanner code for Sophie
smtp amavis[5181]: Using primary internal av scanner code for ClamAV-clamd
smtp amavis[5181]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Test Sophos integration is working by monitoring the /var/tmp/savdi/log/xxxxxx.log file where xxxxxx is today's date (Note any errors with savdid will be logged in this file as well):

Code: Select all

tail -f /var/tmp/savdi/log/160325.log
Send the EICAR virus test file to one of your recipients and ensure an entry similar to the one below is logged in the /var/tmp/savdi/log/xxxxxx.log file:

Code: Select all

160325:070020 [56F510E6/1] 00030405 Threat found
    Identity: 'EICAR-AV-Test' "/var/lib/amavis/tmp/amavis-20160325T062724-05186/parts/p001"
Finally, reboot your system and ensure the savdid service has started by running the followoing command:

Code: Select all

ps -A|grep savdid
If the service started, you should see a message similar to below:

Code: Select all

 2201 ?        00:00:00 savdid
 2203 ?        00:00:05 savdid
That's it! Enjoy your server with additional protection from Sophos AV.

This guide was possible thanks to the invaluable contributions of Peter Kieser https://peterkieser.com/.

Questions or comments? Leave them below :D
Post Reply