Integrate Sophos Antivirus with Amavis in Hermes SEG
This guide will walk you through installing, configuring and integrating Sophos Antivirus for Linux with Amavis to be used in conjunction with ClamAV.
Install Sophos Antivirus for Linux
First, download Sophos Antivirus for Linux from the link below. As of this writing, the file is named sav-linux-free-9.tgz.:
https://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-linux.aspx
Extract the file:
tar -xvzf sav-linux-free-9.tgz
This will create a sophos-av directory. Switch to that directory:
cd sophos-av
Run install.sh and follow the default options to install Sophos:
./install.sh
NOTE: When prompted for the type of auto-update you want, select Sophos
NOTE: When prompted for the version you want, select Free
NOTE: By default Sophos will update itself autoatically every 60-minutes as long as your server is connected to the Internet
Install SAVDI (Sophos Antivirus Dynamic Interface)
SAV Dynamic Interface will be used as the interface between Sophos Antivirus and Amavis using the SOPHIE protocol that Amavis already supports instead of the SPPP protocol that Amavis version 2.6.5 which comes with Ubuntu 12.04 LTS does not support.
Before you install SAV Dynamic Interface (SAVDI) on a server running Sophos Anti-Virus for Unix/Linux Version 9 you need to perform some additional steps before and after the install. First, you must create symbolic links for libsavi.so.3 and libssp.so.0. You need to create those links so that SAVDI can locate these libraries during installation.
32-bit Servers ONLY
If you are using a 32-bit version of Ubuntu you only need to create a link for libssp.so.0 since the link for libsavi.so.3 is already created when you install Sophos Antivirus 9. Issue the following command:
ln -s /opt/sophos-av/lib/libssp.so.0 /usr/local/lib/libssp.so.0
Note: If you have installed Sophos Anti-Virus to a non-default location then change the source path to this location.
64-bit Servers ONLY
If you are using a 64-bit version of Ubuntu, you need to create links for both libssp.so.0 and libsavi.so.3 as follows:
ln -s /opt/sophos-av/lib64/libsavi.so.3 /usr/local/lib/libsavi.so.3
ln -s /opt/sophos-av/lib64/libssp.so.0 /usr/local/lib/libssp.so.0
Note: If you have installed Sophos Anti-Virus to a non-default location then change the source path to this location.
Now it's time to install SAVDI. Download SAVDI from https://www.sophos.com/en-us/support/downloads/standalone-installers/sav-dynamic-interface.aspx. Please note that you must have a Sophos username and password in order to dowload it.
Extract the .tar file (As of this writing, SAVDI was version 2.3)
tar -xvf savdi-23-linux-32bit.tar
This creates a savdi-install directory. Go to that directory:
cd savdi-install
Run savdi_install.sh:
./savdi_install.sh
After installation, you will get the following warning because the virus data is detected in a non-default directory, it's ok to ignore:
Warning: Virus data found at /opt/sophos-av/lib/sav
Make a copy of /usr/local/savdi/savdid.conf file for backup just in case:
cp /usr/local/savdi/savdid.conf /usr/local/savdi/savdid.backup
Edit /usr/local/savdi/savdid.conf:
vi /usr/local/savdi/savdid.conf
Locate the below entries:
#virusdatadir: /var/sav/vdbs
#idedir: /var/sav/vdbs
Change these to:
virusdatadir: /opt/sophos-av/lib/sav
idedir: /opt/sophos-av/lib/sav
Note: The '#' comment character needs to be removed from each entry
Locate the following entry and delete everything underneath that line:
# Define a IP channel for localhost
Next, insert the following underneath the above line:
channel {
commprotocol {
type: UNIX
socket: /var/run/savdid/savdid.sock
user: amavis
group: amavis
requesttimeout: 120
sendtimeout: 2
recvtimeout: 5
}
scanprotocol {
type: SOPHIE
allowscandir: SUBDIR
maxscandata: 500000
maxmemorysize: 250000
tmpfilestub: /tmp/savid_tmp
}
scanner {
type: SAVI
inprocess: YES
maxscantime: 3
maxrequesttime: 10
deny: /dev
deny: /home
savigrp: GrpArchiveUnpack 0
savigrp: GrpInternet 1
savists: Xml 1
}
}
Save the file
In order to start savdid on system startup, you must create a script in /etc/init.d/ directory:
vi /etc/init.d/savdid
Enter the following in that file:
#! /bin/sh
#
# savdid /etc/init.d/ initscript for savdid
#
#
# How this thing works:
# ${START} must be only what is needed for start-stop-daemon, DO NOT
# ADD ANY PARAMETERS HERE! we might use it for --test, for example.
# ${STOP} works just like ${START}, --signal is used with it.
#
# ${PARAMS} are the parameters to give the daemon when really starting
# it.
### BEGIN INIT INFO
# Provides: savdid
# Required-Start: $syslog $network $local_fs $remote_fs
# Required-Stop: $syslog $network $local_fs $remote_fs
# Should-Start:
# Should-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Starts savdid AntiVirus
# Description: Launches the savdid AntiVirus daemon
### END INIT INFO
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/bin/savdid
NAME=savdid
DAEMONNAME=savdid
DESC=savdid
PIDFILE=/var/run/savdid/${NAME}.pid
. /lib/lsb/init-functions
test -f ${DAEMON} || exit 0
set -e
START="--start --quiet --pidfile $PIDFILE --exec ${DAEMON}"
STOP="--stop --quiet --pidfile $PIDFILE"
PARAMS="-d"
case "$1" in
start)
echo -n "Starting $DESC: "
mkdir -p /var/run/savdid
if start-stop-daemon ${START} -- ${PARAMS} >/dev/null ; then
echo "savdid."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(failed)."
exit 1
else
echo "(already running)."
exit 0
fi
fi
;;
stop)
echo -n "Stopping $DESC: "
if start-stop-daemon ${STOP} --retry 10 >/dev/null ; then
echo "savdid."
else
if start-stop-daemon --test ${START} >/dev/null 2>&1; then
echo "(not running)."
exit 0
else
echo "(failed)."
exit 1
fi
fi
;;
restart|force-reload)
$0 stop
exec $0 start
;;
status)
status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
;;
*)
N=/etc/init.d/savdid
echo "Usage: $N {start|stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit 0
Save the file and make it executable:
chmod +x /etc/init.d/savdid
Next, we need to make sure the service we just created will start during system startup. First, install chkconfig:
apt-get install chkconfig
Next, run chkconfig savdid:
chkconfig savdid
You should get the following output:
savdid off
So, we need to activate the savdid service. Run the following command:
chkconfig savdid on
In my system, running the command above gave me the following error:
/sbin/insserv: No such file or directory
This can be easily resolved by creating the following link:
ln -s /usr/lib/insserv/insserv /sbin/insserv
and then run the "chkconfig savdid on" command again. After the command completes running, run the following command again:
chkconfig savdid
Should output the following:
savdid on
Now, start the savdid service:
service savdid start
Next, edit /etc/amavis/conf.d/15-av_scanners:
vi /etc/amavis/conf.d/15-av_scanners
Locate the @av_scanners line, uncomment the 'Sophie' entry and make it look like below (Note how we point it to the savdid socket file with /var/run/savid/savdid.sock:
['Sophie',
\&ask_daemon, ["{}/\n", '/var/run/savdid/savdid.sock'],
qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m, qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],
Save the file & Restart Amavis:
service amavis restart
Look for the following lines in /var/log/mail.log:
smtp amavis[5181]: Using primary internal av scanner code for Sophie
smtp amavis[5181]: Using primary internal av scanner code for ClamAV-clamd
smtp amavis[5181]: Found secondary av scanner ClamAV-clamscan at /usr/bin/clamscan
Test Sophos integration is working by monitoring the /var/tmp/savdi/log/xxxxxx.log file where xxxxxx is today's date (Note any errors with savdid will be logged in this file as well):
tail -f /var/tmp/savdi/log/160325.log
Send the EICAR virus test file to one of your recipients and ensure an entry similar to the one below is logged in the /var/tmp/savdi/log/xxxxxx.log file:
160325:070020 [56F510E6/1] 00030405 Threat found
Identity: 'EICAR-AV-Test' "/var/lib/amavis/tmp/amavis-20160325T062724-05186/parts/p001"
Finally, reboot your system and ensure the savdid service has started by running the followoing command:
ps -A|grep savdid
If the service started, you should see a message similar to below:
2201 ? 00:00:00 savdid
2203 ? 00:00:05 savdid
That's it! Enjoy your server with additional protection from Sophos AV.
This guide was possible thanks to the invaluable contributions of Peter Kieser https://peterkieser.com/.