Current V3 release: 3.05 ( tar.bz2 - MD5 / tar.gz - MD5)
Current V1 release: 1.44 ( tar.bz2 - MD5 / tar.gz - MD5 )
Patches/modifications
News
[21-Aug-2006] Beta version of potential v3.06 posted to this site
(tar.bz2 - MD5).
Fixes some known bugs and updates some elements of SAVI support.
See Changes. This version has been built and tested to a limited degree on Linux (Fedora Core 3) and FreeBSD 6.1.
[18-May-2006] Posted some basic Instructions on how to use Sophie with Sophos Anti-Virus for Linux v5.x [download]
[21-Nov-2005] Sophie 3.05 release. Roll-up a number of patches and bugfixes.
[21-Oct-2005] New example version of sophie.savi published.
Contains Sophos-recommended settings. See
patches page.
[01-Jun-2005] Sophie 3.04 release. Major fix to solve corrupt file issue.
NB: Releases of Sophie v3 prior to this will not work with versions of Sophos Anti-Virus later than 3.93 (May 2005).
[28-Jan-2004] Sophie 3.04rc2 released. Few bugfixes. Please read Changes file.
[21-Nov-2003] Sophie 3.04rc1 released. Major bugfixes.
[09-Jun-2003] Sophie 3.03 released. Minor bugfixes.
[10-May-2003] Sophie 1.44 released. Major bugfix. Upgrade.
[10-May-2003] Sophie 3.02 released. Major bugfix. Upgrade.
[29-Apr-2003] Sophie 3.01 released. Removed RH9/glibc23 fix. Didn't work.
[28-Apr-2003] Sophie 3.00 released. Major features, bugfixes. SAVI V3 support.
[21-Apr-2003] Sophie 1.43 released. Minor fixes.
[13-Aug-2001] Mailing list created. URL: http://www.vanja.com/list/listinfo.cgi/vtools. Virge/Sophie/Trophie will be discussed (if anyone subscribes, of course ;)
Introduction
Sophie is a daemon which uses 'libsavi' library from Sophos anti virus vendor ( www.sophos.com ).
On startup, Sophie initializes SAVI (Sophos Anti-Virus Interface), loads virus patterns into memory, opens local UNIX domain socket, and waits for someone to connect and instructs it which path to scan. Since it is loaded in RAM, scanning is very fast. Of course, speed of scanning also depends on SAVI settings and size of the file.
Sophie was initially created for use with Virge, a mail virus/attachment scanning tool. Because of that, not all SAVI features are implemented in Sophie. My intention was not to create a tool that does the same job as sweep (Sophos tools), but to make fast and efficient tool that can detect virus - but not remove it or make XLS report on it (heh - this was a stupid joke, I presume ;).
At this point, some of the features (that have been requested) are implemented. Some are not, and might never be. So, please, when asking me to add things in Sophie, keep in mind that Sophie was created for Virge, not to be used as a virus scanning tool for a workstation.
How it works?
Sophie works in a very simple way.
- Initializes SAVI inteface, and loads virus patterns
- Creates a local UNIX socket (/var/run/sophie, by default)
- Waits for someone to connect to the socket, and send path(s) on the local filesystem which need to be scanned
- Sophie then forks a process, scans the path(s), and if virus is found, it stops scanning and returns result (1:virusname)
- If no viruses were found, it just returns 0
- Sophie then goes back to sleep...
Since virus patterns are always in memory, scanning is fast (fast in 'startup', not fast in 'execution' :) and takes much less resources. For one 'run', it probably doesn't make a difference if you will use Sophie of Sweep. However, if you have a program (local mail delivery agent, for example) that needs to scan every few seconds/minutes - things are way different.
The 'difference' I am talking about is not in scanning itself - when scanning is in progress, Sophie is little involved in it. Scanning speed depends on the SAVI setup, and on the size of the file being scanned (and if it is an archive, there might be hundreds, even thousands of files inside). However, the initialization of the engine is what count in this case.
For example, this is time measurement for scanning of file /var/tmp/Happy99.exe, by using sweep, and Sophie.
[root@x sock]# time --verbose sweep /var/tmp/Happy99.exe
SWEEP virus detection utility
Version 3.48, August 2001 [Linux/Intel]
<snip>
>>> Virus 'W32/Ska-Happy99' found in file /var/tmp/Happy99.exe
<snip>
Command exited with non-zero status 3
Command being timed: "sweep /var/tmp/Happy99.exe"
User time (seconds): 0.54
System time (seconds): 0.01
Percent of CPU this job got: 91%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:00.62
<snip>
[root@x sock]# time --verbose ./scan_file /var/run/sophie /var/tmp/Happy99.exe
FILE INFECTED: [/var/tmp/Happy99.exe] (VIRUS: W32/Ska-Happy99)
Command being timed: "./scan_file /var/run/sophie /var/tmp/Happy99.exe"
User time (seconds): 0.00
System time (seconds): 0.00
Percent of CPU this job got: 0%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:00.02
<snip>
The difference is quite big. Sophie does not need to reload the patterns (which are appx 1.8Mb, and are probably packed, so file needs to be unpacked), while Sweep does. The scan_file program only connected to /var/run/sophie socket, sent a filename, and got the response (with virus name). This is what Sophie was made for.
I am not trying to say that Sweep is bad or anything similar - I am just trying to clarify some details for people who might want to start asking for addition of some features in Sophie :)
Important
- Sophie does not remove/clean/fix any viruses
- Sophie should not be used as a workstation tool - it was intended for server usage (translated: I will not be adding any 'workstation friendly' features :)
- If you don't know what you could use Sophie for - you probably don't need it
It is also very important to realize that Sophie is still being developed, and this is not the final 'look'. Some changes are also likely to happen to the response format (filename will probably be included in the response when virus is found) and to the logging feature (where something is logged, and what is logged). Also, it is possible that I will modify Sophie so that it doesn't stop after 1st virus is found, but scans/reports all files/viruses.
Sophie might even get 'integrated' with Trophie at some point, but it will take some time :)
Downloads
Latest V3 release is 3.05 (01-Jun-2005)
Sophie is released under the GPL license.
sophie-3.05.tar.bz2 ( MD5 )
sophie-3.05.tar.gz ( MD5 )
README [as txt]
README.NETWORK [as txt]
Changes [as txt]
Older releases
Latest V1 release is 1.44 (10-May-2003)
Sophie is released under the GPL license.
sophie-1.44.tar.bz2 ( MD5 )
sophie-1.44.tar.gz ( MD5 )
README [as txt]
README.NETWORK [as txt]
Changes [as txt]
Older releases
Credits
Author: Vanja Hrustic <vanja at pobox.com>
Thanks
Big "thank you" goes to Sophos, for releasing the docs for the API (more or less complete ;), and for releasing the SDK.
I also have to thank Philipp Gaschütz <philipp at corpex.de> for suggesting different (working... better... :) way of limiting number of processes in Sophie.
|
