--- Version 1.44 --- Introduction REMEMBER: YOU NEED Sophos library/package in order to use Sophie! Sophie is a daemon which uses 'libsavi' library from Sophos anti virus vendor ( http://www.sophos.com ). On startup, Sophie initializes SAPI (Sophos Anti-Virus Interface), loads virus patterns into memory, opens local UNIX domain socket, and waits for someone to connect and instructs it which path to scan. Since it is loaded in RAM, scanning is very fast. Of course, speed of scanning also depends on SAVI settings and size of the file. --- Requirements You must have libsavi installed on your system, and virus patterns. You will also probably need some application that will be able to send request(s) to Sophie, and do something with the result. Sample application is included with Sophie. Sophie has been compiled/tested on: Linux (kernel 2.2.x and 2.4.x - various distros) with gcc FreeBSD 4.5 with gcc FreeBSD 4.3 with gcc OpenBSD 2.9 with gcc HP-UX 10.20 with gcc Solaris 2.6 (Sparc) with gcc Solaris 2.7 (Sparc) with gcc Solaris 2.8 (x86) with gcc Engines/virus patterns tested: engine v2.10 / patterns (IDE) v3.65 engine v2.10 / patterns (IDE) v3.58 engine v2.10 / patterns (IDE) v3.57 engine v2.9 / patterns (IDE) v3.55 engine v2.5 / patterns (IDE) v3.48 engine v2.2 / patterns (IDE) v3.44 engine v2.0 / patterns (IDE) v3.41 --- Details SAVI Developers Toolkit V1.04 (available from Sophos website) is from November 2000, and seems not to include all the references to configuration options of SAVI. I have therefore modified include files little bit (actually, file 'savitype.h' is modified) in order to make some configuration options available to Sophie. List of added options: #define SOPHOS_LHA_DECOMPRESSION _T("Lha") #define SOPHIE_SOPHOS_SFX_HANDLING _T("SfxArchives") #define SOPHOS_MSCABINET_HANDLING _T("MsCabinet") #define SOPHOS_TNEF_HANDLING _T("TnefAttachmentHandling") #define SOPHOS_MSCOMPRESS_HANDLING _T("MSCompress") #define SOPHOS_OF95DECRYPT_HANDLING _T("OF95DecryptHandling") #define SOPHOS_DELETE_ALL_MACROS _T("DeleteAllMacros") (as of Sophie 1.10 / Engine 2.5) #define SOPHOS_VBE _T("Vbe") #define SOPHOS_EXEC_FILE_DISINFECTION _T("ExecFileDisinfection") #define SOPHOS_VISIO_FILE_HANDLING _T("VisioFileHandling") (as of Sophie 1.18 / Engine 2.9) #define SOPHOS_MIME _T("Mime") #define SOPHOS_ACTIVE_MIME_HANDLING _T("ActiveMimeHandling") #define SOPHOS_DEL_VBA5_PROJECT _T("DelVBA5Project") #define SOPHOS_SCRAP_OBJECT_HANDLING _T("ScrapObjectHandling") #define SOPHOS_SRP_STREAM_HANDLING _T("SrpStreamHandling") #define SOPHOS_OFFICE2001_HANDLING _T("Office2001Handling") #define SOPHOS_UPX _T("Upx") #define SOPHOS_MAC _T("Mac") #define SOPHOS_SAFE_MAC_DF_HANDLING _T("SafeMacDfHandling") #define SOPHOS_PALM_PILOT_HANDLING _T("PalmPilotHandling") (Engine 2.10 - IDE 3.57/3.58) #define SOPHOS_PDF _T("Pdf") #define SOPHOS_RTF _T("Rtf") #define SOPHOS_HTML _T("Html") #define SOPHOS_ELF _T("Elf") #define SOPHOS_WORDB _T("WordB") #define SOPHOS_OUTLOOK_EXPRESS _T("OutlookExpress") Names are probably self-explanatory. Seems that SOPHOS_MSCOMPRESS_HANDLING is not supported on UNIX, so it is disabled by default. NOTE: Do not set SOPHIE_SOPHOS_DELETE_ALL_MACROS, since SAVI will then not perform virus scanning anymore. I can only guess what is this setting for, but it's better not to use it then to 'assume'. In order to access/modify configuration options for Sophie, edit sophie_init.h file and set options as you please. Keep in mind that default options (as set in sophie_init.h) might take more resources on machine - tune it if neccesary, do not just run Sophie with default settings, without trying to understand how it is configured. Right now, you have to edit sophie_init.h and recompile Sophie - I might add some form of configuration file or runtime configuration setting later. I simply didn't need it and didn't want to bother adding it :) --- Installation As of version 1.30, most of the Sophie configuration options can be set with ./configure options. Type ./configure --help to obtain list of configuration options. --with-savilib=PATH location of libsavi [/usr/local/lib] --with-socketfile=PATH path of socket file [/var/run/sophie] --with-pidfile=PATH path of pid file [/var/run/sophie.pid] --with-user=USER user to run as [varies per OS] --with-group=GROUP group to own socket file [varies per OS] --with-maxproc=NUM max concurrent scans [20] --with-logname=NAME name for syslog messages [sophie] --with-logfacility=FACILITY facility for syslog messages [LOG_MAIL] --with-logpriority=PRIORITY priority for syslog messages [varies per OS] --with-timeout=SECONDS scanning timeout [90] Starting with version 1.31, new configuration options are featured: --enable-net enable network support [no] --with-net-port=PORT port to use [4009] --with-net-tempdir=DIR temporary directory to use for network scans [/tmp] Read README.NETWORK in order to get more details on these options. Starting with version 1.33rcX, new configuration options are added: --enable-error-strings return error strings [no] If this option is enabled, Sophie will return more verbose error messages -1 is returned (might break some apps that don't expect extra output) --enable-timestamps print timestamps in foreground mode [no] If Sophie is running in foreground mode and --enable-timestamps is enabled, in front of each Sophie message a timestamp will be prepended. If libsavi is not in the path, use ./configure --with-libsavi=/path/to/libsavi/dir Then type make If compilation was fine, copy the binary somewhere and use it :) --- Problems/Bugs You might get a message like this on startup: ld.so.1: ./sophie: fatal: libsavi.so.2: open failed: No such file or directory Make sure libsavi.so is in LD_LIBRARY_PATH. Additionaly, it seems that you might need to create a symbolic link for libsavi.so in order to make configure script work ok - some people have reported problems with configure script not recognizing the library, even if it was in /usr/lib. To fix this, go to the directory where libsavi library is, and type: # ln -s libsavi.so.2 libsavi.so (re-run ldconfig, if needed) I did not test the Sophie if virus patterns are missing or there is some similar 'unexpected' error. I don't have time to do this, but I would like to hear if anyone else has problems. --- Usage To get brief help, use: ./sophie -h To see version of SAVI engine and patterns, use: ./sophie -v To see current (compiled-in) SAVI configuration, use: ./sophie -c To check Sophie and scan a *file* (not a directory) on a local hard disk, use: ./sophie -f To check Sophie and scan a *directory* on a local hard disk, use: ./sophie -s To send Sophie into background, use: ./sophie -D Sophie will reload patterns (re-init) if it receives HUP signal. eicar.com test file is also available, to make testing easier. NOTE: eicar.com is created during compilation proces (from Makefile) --- Sample applications You can find some sample applications (C and Perl) in 'sample_apps' directory. --- Availability Releases of Sophie are (should be) available at: http://www.vanja.com/tools/ --- Author Comments/patches send to: vanja@pobox.com --- License This program is released under the GPL license