Using Sophie with SAV v5.0 for Linux

Sophos Anti-Virus version 5 for Linux offers significant new features over
v4.x. The primary features are an HTTP-based GUI and on-access scanning for
viruses and malware using the Talpa kernel module.

At the core of SAV v5 is exactly the same virus engine as in SAV v4, with the
same virus data, using the same IDEs and, most importantly, using the same
SAVI API. It is therefore possible to use Sophie with SAV v5. Since SAV v5
is a larger, more elaborate product it uses a different set of directory
structures to store its libraries and data files. Some tweaks are therefore
required to get Sophie running properly.

In addition, SAV v5 also offers automated download of engine and virus data
updates, either directly from Sophos or through the Sophos Enterprise Library
system. It may be possible to tie Sophie in with this automated update system.

0. Installation location

By default SAV v5.0 installs itself in /opt/sophos-av. These instructions
assume that it is installed in this default location.

1. Using the correct library

SAV v5.0 stores the SAVI library (libsavi.so.*) in /opt/sophos-av/lib. You need
to get Sophie to pick up this version of libsavi. One way to achieve this
(which I have tried on a Fedora Core system) is to make sure this path is in
the search path for libraries. It's probably best to put it at the end of the
path, since SAV5 may install other libraries that are not unique to SAV and may
conflict with system libraries.

Either:
add a line to the end of /etc/ld.so.conf:
/opt/sophos-av/lib

or, create a new file in /etc/ld.so.conf.d called 'zsavi.conf' as follows

# echo '/opt/sophos-av/lib' > /etc/ld.so.conf.d

Then:
run
# ldconfig
to tell the linker to update its paths

Alternatively:
If you're concerned about messing up library paths for other apps, you should
start Sophie from a script that sets the LD_LIBRARY_PATH variable to include
/opt/sophos-av/lib. For example:

startsophie.sh
#!/bin/bash
export LD_LIBRARY_PATH="/opt/sophos-av/lib:$LD_LIBRARY_PATH"
./sophie

2. Picking up the right virus data

SAV v5 puts the virus data in /opt/sophos-av/lib/sav. There are two ways to tell
SAVI where to look for virus data. One involves API calls to set two config
values which Sophie does not support at present (as of v3.05). So the second way
is the best.

Edit (or create new) the file /etc/sav.conf so that it contains the following
line:
SAV virus data directory = /opt/sophos-av/lib/sav

Sorted.

3. Integrating sophie with the auto-update procedure

You need to find a way to send a SIGHUP to Sophie when an update has completed.

SAV5 updating runs from a cron job in root's crontab. You can see this by
running
# crontab -u root -l
10 * * * * /opt/sophos-av/bin/savupdate

You could modify this script or one of the other scripts that gets called as a
part of the update process. Unfortunately there seems to be no way to be
sure that your amended scripts won't be overwritten by a future software update.

The best way to have Sophie reload when new virus data is downloaded is to
run a completely separate script that checks whether SAV has been updated. This
needs to run after the update job, remembering to leave enough time for the
update process to complete.

The following script checks whether SAV v5.x has been updated and sends a SIGHUP
to Sophie if necessary:

#! /bin/bash

SAV_DIR='/opt/sophos-av'
SOPHIE_TMP='/tmp/sophie'
SAVI_MANIFEST='cidsync.upd'
SAVI_MANIFEST_DIR="$SAV_DIR/update/cache/LOCAL/PACKAGE/savi"

# Check for the existence of the chosen tmp directory.
if [ ! -d $SOPHIE_TMP ] ; then
mkdir $SOPHIE_TMP
fi

# If there's already a manifest file in the temp directory, compare it with
# the one installed with SAV. If it's the same, there has been no update.
if [ -f "$SOPHIE_TMP/$SAVI_MANIFEST" ] ; then
if diff "$SOPHIE_TMP/$SAVI_MANIFEST" "$SAVI_MANIFEST_DIR/$SAVI_MANIFEST" >/dev/null 2>&1 ; then
exit
fi
fi

# Take a copy of the manifest file to compare next time we run
cp -f $SAVI_MANIFEST_DIR/$SAVI_MANIFEST $SOPHIE_TMP/$SAVI_MANIFEST

# If no Sophie config file has been specified, use a default
SOPHIE_CFG=$1
if [ "$SOPHIE_CFG" == "" ] ; then

SOPHIE_CFG=/etc/sophie.cfg
fi

# Check for the existence of the Sophie config file
if [ -f $SOPHIE_CFG ] ; then

# Read the Sophie pid filename from the config file
SOPHIE_PIDFILE=`cat $SOPHIE_CFG | grep ^pidfile\: | sed -e 's/pidfile: //'`

if [ -f $SOPHIE_PIDFILE ] ; then

# Get the pid from the pidfile and send the signal
for i in `cat $SOPHIE_PIDFILE` ; do
logger -t sophie_reload Sending SIGHUP to pid $i
kill -HUP $i
done
else
logger -t sophie_reload No sophie running at $SOPHIE_PIDFILE
fi
else
logger -t sophie_reload No sophie config file at $SOPHIE_CFG
fi

You can edit the values of SAV_DIR and SOPHIE_TMP script as necessary to reflect
the location of the SAV installation and your chosen tmp directory as
appropriate.

Save this script somewhere (the following instructions assume it's saved in
/etc/sophie-sav5-update) make it executable by root
# chown root.root sophie-sav5-update
# chmod 744 sophie-sav5-update

Then create a crontab entry to run it. I run it 3 minutes after the savupdate
job startsand then again 20 minutes after. If the update process completes
quickly - e.g. when only IDEs are downloaded - sophie gets updated after 5 mins,
but if the update process takes longer, we have another chance. It doesn't
matter too much if we run this script more often than we need to because if
nothing has changed since it last ran, it won't do anything.
# crontab -u root -e

The current crontab will be loaded in an editor. Add the line:
12,30 * * * * /etc/sophie-sav5-update /etc/sophie.cfg

Remembering to adjust the time and the paths to the update script, and the
relevant sophie.cfg file accordingly. Save the file.

The first time the script runs it will send a SIGHUP to Sophie. On all
subsequent runs it should only send the SIGHUP when an update has occurred,
unless your tmp directory is nuked.