Endpoint

Sophos Anti-Virus for Linux 9 Preview release notes

July 2014

About these release notes

These are the release notes for Sophos Anti-Virus for Linux Preview versions, managed by Sophos Enterprise Console or standalone.

Some of the features mentioned in these release notes are only available on managed computers or if you have the appropriate license.

Note: You may find that you cannot yet download and use the latest version on the list below. This is because Sophos releases the software over a number of days, but publishes the release notes on the first day.

Version 9.7.0, July 2014

Components

Sophos Anti-Virus (SAV) 9.7.0
Threat detection engine 3.53.0

New features

  • Sophos now receives anonymous phone-home data from the product. This is used to improve product quality and testing. For details, see Knowledge Base article 121214.
  • Sophos Anti-Virus now includes Talpa Binary Pack support for Red Hat Enterprise Linux 7 and CentOS 7.
  • A new version of Talpa, 1.18.1, which fixes Talpa-related issues, has been added.
  • A new adapter has been added to RMS to improve reliability. This will restart RMS components (mrouter and magent) after a crash. If you want the adapter to restart RMS periodically, you add
    RestartIntervalHours=<Hours>
    to $INST/etc/sophosmgmtd.conf.
  • Sophos Anti-Virus now supports scanning using fanotify.
  • The threat detection engine and threat data have been updated.

Resolved issues

Issue ID Description
SUG95841 Added support for customers to create packages that update directly from Sophos.

We have altered the script for making installation packages (mkinstpkg.sh) so that customers can now select Sophos as the update location.

DEF94382 fanotify scan processors are occasionally force terminated.

We have reworked stream handling so that fanotify is no longer force terminated.

DEF94926 fanotify scanning reports uncaught exception errors

This issue has been resolved after a review of our exception handling.

DEF85504 If you run the uninstallation script with an invalid option, the help for installation is displayed.

Running uninstall.sh with an invalid option used to result in the list of options for installation being displayed. The correct list of uninstallation options is now displayed.

SUG65114 Make it possible to ensure that Sophos Anti-Virus does not use an http proxy.

A noproxy setting can now be enforced in savconfig. For details, see the manpage for savconfig.

DEF95670 Enterprise Console displays the incorrect version number after an upgrade or downgrade.

Enterprise Console did not update version numbers after upgrade or downgrade between versions with the same threat detection engine and data (for example, Preview and Recommended version). This has now been changed so that the correct version number is shown.

DEF96222 RMS, which handles communications with the server, does not start properly.

This is fixed, as the sophosmgmtd adapter now restarts the RMS components (mrouter and magent) after an SEGV error.

WKI95940 RMS, which handles communications with the server, does not initialize and rapidly fills Messages.txt with sav-rms failure messages.

This is fixed, as the sophosmgmtd adapter now manages restarts for the RMS components (mrouter and magent).

DEF87381 The RMS component mrouter coredumps when cluster software changes the network adapter settings.

This is fixed, as the sophosmgmtd adapter restarts mrouter after an SEGV error.

WKI79953 The RMS component magent coredumps.

This is fixed, as the sophosmgmtd adapter restarts magent after an SEGV error.

SUG80323 Force RMS to send a 'heartbeat' message back to Enterprise Console periodically.

We have implemented this, as the sophosmgmtd adapter can be configured to do periodic restarts (which force messages to be sent).

Version 9.6.1, April 2014

Components

Sophos Anti-Virus (SAV) 9.6.1
Threat detection engine 3.51.0

New features

  • A new version of Talpa, 1.17.5, which fixes Talpa-related issues, has been added.
  • Sophos Anti-Virus now supports scanning of files on the btrfs filesystem with Talpa and fanotify.
  • The threat detection engine and threat data have been updated. The threat data is now distributed as a supplement, which is updated independently from Sophos Anti-Virus and allows for more frequent updates.

Resolved issues

Issue ID Description
DEF95898 Mount fails with the error "protocol driver not attached" when Sophos Anti-Virus 9.5.1 for Linux is installed.

Attempting to mount a drive on a Linux computer with Sophos Anti-Virus version 9.5.1 (with engine version 3.50) fails. For more information, see http://www.sophos.com/en-us/support/knowledgebase/120622.aspx.

Version 9.6.0, March 2014

Components

Sophos Anti-Virus (SAV) 9.6.0
Threat detection engine 3.50.2

New features

  • A new version of Talpa, 1.17.4, which fixes Talpa-related issues, has been added.

Resolved issues

Issue ID Description
DEF95898 Mount fails with the error "protocol driver not attached" when Sophos Anti-Virus 9.5.1 for Linux is installed.

Attempting to mount a drive on a Linux computer with Sophos Anti-Virus version 9.5.1 (with engine version 3.50) fails. For more information, see http://www.sophos.com/en-us/support/knowledgebase/120622.aspx.

Version 9.6.0, February 2014

Components

Sophos Anti-Virus (SAV) 9.6.0
Threat detection engine 3.50.2

New features

  • A new version of Talpa, 1.17.2, which fixes Talpa-related issues, has been added.
  • The threat data has been updated.

Resolved issues

Issue ID Description
DEF95938 Talpa Binary Pack can fail on Linux kernels 3.11 and later.

Under some circumstances, Talpa Binary Pack can fail to intercept file accesses on Linux kernels 3.11 and later, so that the user loses on-access protection.

DEF95394 Talpa generates multiple errors and can cause lockups on computers with Linux 3.8 kernel.

If you run Sophos Anti-Virus 9.5.0 or later on a computer running the Linux kernel 3.8, Talpa generates errors and can cause lockups. The computer has to be restarted before it can be used again.

DEF95174 Kernel panics occur on computers with cPanel installed.

Kernel panics occur if Sophos Anti-Virus 9.5.0 or later is installed on computers that also have cPanel installed.

DEF95055 On some distributions, Talpa Binary Pack crashes when attempting a "scan on close" for exiting processes on Linux kernel 3.8 and later.

This means that Talpa Binary Pack support is currently unavailable for these kernels.

DEF94853 On the RHEL/Centos 6.5 distribution, mount points fail with a custom Talpa compilation.

On the RHEL/Centos 6.5 distribution update, which includes the 2.6.32-431 kernel, attempts to mount fail with a message similar to "... failed, reason given by server: No such file or directory." The message log contains one or more of these entries: "kernel: talpa-vfshook: Failed to synchronise post-mount! (-2)".

Version 9.5.5, January 2014

Components

Sophos Anti-Virus (SAV) 9.5.5
Threat detection engine 3.50.2

New features

  • Sophos Anti-Virus now supports scanning of files on the btrfs filesystem with Talpa and fanotify.
  • The threat detection engine and threat data have been updated.

Resolved issues

Issue ID Description
DEF94114 fanotify reports that it has deleted threats even if it has failed to delete them.

fanotify sometimes reports that it has deleted a file that contains a threat but leaves the file on disk. This occurs when a user attempts to access files in a sticky directory that they do not own and cannot write to.

DEF94234 Updating directly from Sophos would fail if the main Sophos server is unavailable.

Updating directly from Sophos would fail if the main Sophos server is unavailable, when a backup server should've been used but wasn't.

DEF93898 Endpoints do not correctly report primary and secondary update locations to Enterprise Console.

Endpoint computers sometimes do not have primary or secondary update locations shown in "Computer Details" or "Update details" in Enterprise Console, even if they are compliant with your policies and up to date.

DEF93016 Web UI log viewer shows log messages without line breaks.

When an update reports a long message, a large block of text without line breaks is shown in the log, which is hard to read.

DEF92615 savscan allows regular users to send the savscan log to /opt/sophos-av/var/spool/

Users can use the -p=<log path> option to send the savscan log to /opt/sophos-av/var/spool. The email notifier then tries to parse the files and deliver them as email. This results in an error and the notifier stops processing files.

DEF92612 After an upgrade from version 6 to 7 and then to 9, world-writeable files and directories are left in a Sophos directory.

Known issues and limitations

Issue ID Description
-- fanotify is not supported on Linux kernels 3.15 or higher with Sophos Anti-Virus for Linux.

This is due to a change in the fanotify API. Sophos will add this support as soon as possible.

DEF92486 On-access scanning with fanotify on NFSv4 can block all access to files.

Running on-access scanning with fanotify on an NFSv4 file system can result in all file access being blocked. This is a kernel issue. Sophos is working with the Linux community to resolve it. Workrounds are to use Talpa instead, downgrade to NFSv3, or exclude any NFSv4 shares from on-access scanning.

96261 On-access scanning with fanotify on CIFS causes 30 seconds delay in file creation and access.

If on-access scanning is run with fanotify on a CIFS (Common Internet File System) local share, users can experience a delay of around 30 seconds when creating or accessing files. This is a kernel issue and Sophos is working with the Linux community to resolve it. Workarounds are to disable CIFS oplocks or exclude the CIFS share from on-access scanning.

-- Per-process memory limits on UNIX systems can restrict Sophos Anti-Virus from functioning correctly.

On IBM AIX systems, Sophos Anti-Virus requires more memory than the default "Maximum Data Segment" size limit. For information on how to increase this limit, see www.sophos.com/en-us/support/knowledgebase/118805.aspx.

DEF74349 Enterprise Console does not show that a file has been quarantined.

On a Sophos Anti-Virus installation that is managed by Sophos Enterprise Console, if an on-demand scan quarantines a file, savlog shows that the file has been quarantined, but in Enterprise Console, "action taken" is blank.

WKI42035

If you install a managed installation of Sophos Anti-Virus on an AIX or HP-UX workstation, and in Sophos Enterprise Console you move the workstation from the "Unassigned" group to another group, the "Anti-virus and HIPS policy" column in the computer list might display "Differs from policy". To work around this, in Enterprise Console, right-click the workstation, point to "Comply with", and then click "Group anti-virus and HIPS Policy".

DEF38027

During installation or upgrade, if you make typographical errors when prompted for information, and correct these, control characters might be stored as part of your input. This could cause a problem, especially with updating. For more information, go to www.sophos.com/en-us/support/knowledgebase/58693.aspx.

DEF29605

On a computer running Solaris version 10 with a Japanese locale, if you try to install Sophos Anti-Virus from a central installation directory and you enter an installation location using Japanese text, the installation fails with the message "svccfg: Syntax error".

DEF23317

If you install Sophos Anti-Virus on a computer that has Sophos Anti-Virus and a third-party product that uses SAV Interface installed, you might have to configure Sophos Anti-Virus to use the correct location for the Sophos Anti-Virus libraries and threat data. For information, go to www.sophos.com/en-us/support/knowledgebase/50230.aspx..

-- Sophos Anti-Virus on AIX and SAV Interface on AIX.

On AIX, it is possible for the memory allocation functions to return memory addresses that don't exist, usually when the computer is running low on memory. If these memory addresses are subsequently accessed, the computer may terminate the application.</p><p>Sophos recommends setting the PSALLOC environment variable to the value "early", before running Sophos Anti-Virus on AIX or SAV Interface applications on AIX, i.e.

PSALLOC=early

Setting PSALLOC to "early" causes the memory allocation functions to only allocate memory that exists. This may cause your computer to run slower, because further checks are carried out on memory as it is allocated.

Additional information

  • Sophos Anti-Virus and PureMessage for UNIX

    If you install Sophos Anti-Virus on a mail server that is running Sophos PureMessage for UNIX, you must make sure that scanning of MIME files is disabled in Sophos Anti-Virus. This is because scanning MIME files with Sophos Anti-Virus might prevent PureMessage from accessing files that contain viruses. By default, MIME scanning is disabled.

  • Installation in non-UTF-8 and non-ASCII encoded locations

    You can't install Sophos Anti-Virus in a location that is specified by a non-UTF-8 and non-ASCII path.

  • Installation on computers using non-UTF-8 and non-ASCII encoding

    On a computer that is using non-UTF-8 and non-ASCII encoding, to install from the deployment package that is created by mkinstpkg.sh, run the installation script as follows:

    LANG=C ./sophos-av/install.sh
  • Japanese language support

    Sophos Anti-Virus can be installed on computers that are using ja_JP.eucJP and ja_JP.UTF8. Installation on computers with ja_JP.sjis locale (Japanese with Shift-JIS encoding) is not supported.

  • Sophos Remote Management System doesn't start if Sophos Anti-Virus has been installed from NFS filesystem

    If you install Sophos Anti-Virus from an NFS filesystem, Sophos Remote Management System won't start. To work around this, use an alternative installation source instead, for example a Samba share.

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2007–2014 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.