Using Sophie with SAV v5.0 for Linux Sophos Anti-Virus version 5 for Linux offers significant new features over v4.x. The primary features are an HTTP-based GUI and on-access scanning for viruses and malware using the Talpa kernel module. At the core of SAV v5 is exactly the same virus engine as in SAV v4, with the same virus data, using the same IDEs and, most importantly, using the same SAVI API. It is therefore possible to use Sophie with SAV v5. Since SAV v5 is a larger, more elaborate product it uses a different set of directory structures to store its libraries and data files. Some tweaks are therefore required to get Sophie running properly. In addition, SAV v5 also offers automated download of engine and virus data updates, either directly from Sophos or through the Sophos Enterprise Library system. It may be possible to tie Sophie in with this automated update system. 0. Installation location By default SAV v5.0 installs itself in /opt/sophos-av. These instructions assume that it is installed in this default location. 1. Using the correct library SAV v5.0 stores the SAVI library (libsavi.so.*) in /opt/sophos-av/lib. You need to get Sophie to pick up this version of libsavi. One way to achieve this (which I have tried on a Fedora Core system) is to make sure this path is in the search path for libraries. It's probably best to put it at the end of the path, since SAV5 may install other libraries that are not unique to SAV and may conflict with system libraries. Either: add a line to the end of /etc/ld.so.conf: /opt/sophos-av/lib or, create a new file in /etc/ld.so.conf.d called 'zsavi.conf' as follows # echo '/opt/sophos-av/lib' > /etc/ld.so.conf.d Then: run # ldconfig to tell the linker to update its paths Alternatively: If you're concerned about messing up library paths for other apps, you should start Sophie from a script that sets the LD_LIBRARY_PATH variable to include /opt/sophos-av/lib. For example: startsophie.sh #!/bin/bash export LD_LIBRARY_PATH="/opt/sophos-av/lib:$LD_LIBRARY_PATH" ./sophie 2. Picking up the right virus data SAV v5 puts the virus data in /opt/sophos-av/lib/sav. There are two ways to tell SAVI where to look for virus data. One involves API calls to set two config values which Sophie does not support at present (as of v3.05). So the second way is the best. Edit (or create new) the file /etc/sav.conf so that it contains the following line: SAV virus data directory = /opt/sophos-av/lib/sav Sorted. 3. Integrating sophie with the auto-update procedure You need to find a way to send a SIGHUP to Sophie when an update has completed. SAV5 updating runs from a cron job in root's crontab. You can see this by running # crontab -u root -l 10 * * * * /opt/sophos-av/bin/savupdate You could modify this script or one of the other scripts that gets called as a part of the update process. Unfortunately there seems to be no way to be sure that your amended scripts won't be overwritten by a future software update. The best way to have Sophie reload when new virus data is downloaded is to run a completely separate script that checks whether SAV has been updated. This needs to run after the update job, remembering to leave enough time for the update process to complete. The following script checks whether SAV v5.x has been updated and sends a SIGHUP to Sophie if necessary: #! /bin/bash SAV_DIR='/opt/sophos-av' SOPHIE_TMP='/tmp/sophie' SAVI_MANIFEST='cidsync.upd' SAVI_MANIFEST_DIR="$SAV_DIR/update/cache/LOCAL/PACKAGE/savi" # Check for the existence of the chosen tmp directory. if [ ! -d $SOPHIE_TMP ] ; then mkdir $SOPHIE_TMP fi # If there's already a manifest file in the temp directory, compare it with # the one installed with SAV. If it's the same, there has been no update. if [ -f "$SOPHIE_TMP/$SAVI_MANIFEST" ] ; then if diff "$SOPHIE_TMP/$SAVI_MANIFEST" "$SAVI_MANIFEST_DIR/$SAVI_MANIFEST" >/dev/null 2>&1 ; then exit fi fi # Take a copy of the manifest file to compare next time we run cp -f $SAVI_MANIFEST_DIR/$SAVI_MANIFEST $SOPHIE_TMP/$SAVI_MANIFEST # If no Sophie config file has been specified, use a default SOPHIE_CFG=$1 if [ "$SOPHIE_CFG" == "" ] ; then SOPHIE_CFG=/etc/sophie.cfg fi # Check for the existence of the Sophie config file if [ -f $SOPHIE_CFG ] ; then # Read the Sophie pid filename from the config file SOPHIE_PIDFILE=`cat $SOPHIE_CFG | grep ^pidfile\: | sed -e 's/pidfile: //'` if [ -f $SOPHIE_PIDFILE ] ; then # Get the pid from the pidfile and send the signal for i in `cat $SOPHIE_PIDFILE` ; do logger -t sophie_reload Sending SIGHUP to pid $i kill -HUP $i done else logger -t sophie_reload No sophie running at $SOPHIE_PIDFILE fi else logger -t sophie_reload No sophie config file at $SOPHIE_CFG fi You can edit the values of SAV_DIR and SOPHIE_TMP script as necessary to reflect the location of the SAV installation and your chosen tmp directory as appropriate. Save this script somewhere (the following instructions assume it's saved in /etc/sophie-sav5-update) make it executable by root # chown root.root sophie-sav5-update # chmod 744 sophie-sav5-update Then create a crontab entry to run it. I run it 3 minutes after the savupdate job startsand then again 20 minutes after. If the update process completes quickly - e.g. when only IDEs are downloaded - sophie gets updated after 5 mins, but if the update process takes longer, we have another chance. It doesn't matter too much if we run this script more often than we need to because if nothing has changed since it last ran, it won't do anything. # crontab -u root -e The current crontab will be loaded in an editor. Add the line: 12,30 * * * * /etc/sophie-sav5-update /etc/sophie.cfg Remembering to adjust the time and the paths to the update script, and the relevant sophie.cfg file accordingly. Save the file. The first time the script runs it will send a SIGHUP to Sophie. On all subsequent runs it should only send the SIGHUP when an update has occurred, unless your tmp directory is nuked.