Sophos Anti-Virus for Linux release notes

Version numbers

Sophos Anti-Virus 9.6.0 (Preview)
Threat detection engine 3.50.2
Threat data 4.98, February 2014

What's new

This section lists new features and updates included in the last four monthly releases of Sophos Anti-Virus for Linux 9.

To view the list of issues fixed in these releases, see Fixed and known issues.

New in this release

  • Sophos Anti-Virus now includes a new version of Talpa, 1.17.2, which fixes Talpa-related issues.
  • The threat data have been updated.

New in 9.5.5, January 2014

  • Sophos Anti-Virus now supports scanning of files on the btrfs filesystem with Talpa and fanotify.
  • The threat detection engine and threat data have been updated.

New in 9.5.0, December 2013

  • Sophos Anti-Virus now includes Talpa Binary Pack support for Linux 3.8, 3.9, 3.10, and 3.11 kernels.
  • The threat data have been updated.

New in 9.4.1, November 2013

  • Sophos Anti-Virus now includes Talpa Binary Pack support for CentOS 5 and CentOS 6.
  • The threat data have been updated.

Fixed and known issues

This section lists issues fixed in the last four monthly releases of Sophos Anti-Virus and the known issues in this release.

Go to known issues

Fixed issues

Issue ID Description Fixed in
DEF95394 Talpa generates multiple errors and can cause lockups on computers with Linux 3.8 kernel

If you run Sophos Anti-Virus 9.5.0 or later on a computer running the Linux kernel 3.8, Talpa generates errors and can cause lockups. The computer has to be restarted before it can be used again.

9.6.0, February 2014
DEF95174 Kernel panics occur on computers with cPanel installed

Kernel panics occur if Sophos Anti-Virus 9.5.0 or later is installed on computers that also have cPanel installed.

9.6.0, February 2014
DEF95055 On some distributions, Talpa Binary Pack crashes when attempting a "scan on close" for exiting processes on Linux kernel 3.8 and later.

This means that Talpa Binary Pack support is currently unavailable for these kernels.

9.6.0, February 2014
DEF94853 On the RHEL/Centos 6.5 distribution, mount points fail with a custom Talpa compilation.

On the RHEL/Centos 6.5 distribution update, which includes the 2.6.32-431 kernel, attempts to mount fail with a message similar to "... failed, reason given by server: No such file or directory." The message log contains one or more of these entries:

"kernel: talpa-vfshook: Failed to synchronise post-mount! (-2)".

9.6.0, February 2014
DEF94114 fanotify reports that it has deleted threats even if it has failed to delete them.

fanotify sometimes reports that it has deleted a file that contains a threat but leaves the file on disk. This occurs when a user attempts to access files in a sticky directory that they do not own and cannot write to.

9.5.5, January 2014
DEF94234 Sophos Anti-Virus does not download updates from a secondary update server when the primary server is unavailable.

Sophos Anti-Virus can be configured to update itself from a secondary update server at Sophos when its primary server (either on the local network or at Sophos) is unavailable. However, it does not attempt to contact the secondary server when the primary server fails.

9.5.5, January 2014
DEF93898 Endpoints do not correctly report primary and secondary update locations to Enterprise Console.

Endpoint computers sometimes do not have primary or secondary update locations shown in "Computer Details" or "Update details" in Enterprise Console, even if they are compliant with your policies and up to date.

9.5.5, January 2014
DEF93016 Web UI log viewer shows log messages without line breaks.

When an update reports a long message, a large block of text without line breaks is shown in the log, which is hard to read.

9.5.5, January 2014
DEF92615 savscan allows regular users to send the savscan log to /opt/sophos-av/var/spool/

Users can use the -p=<log path> option to send the savscan log to /opt/sophos-av/var/spool. The email notifier then tries to parse the files and deliver them as email. This results in an error and the notifier stops processing files.

9.5.5, January 2014
DEF92612 After an upgrade from version 6 to 7 and then to 9, world-writeable files and directories are left in a Sophos directory. 9.5.5, January 2014
DEF93361 ExclusionEncodings option does not work with Fanotify.

The ExclusionEncodings option, which enables you to exclude files with names that are not encoded in UTF-8 (for example filenames in EUC-JP), does not work with Fanotify.

9.5.0, December 2013
DEF93714 Fanotify does not block access to malicious programs.

If you use Fanotify to intercept files for on-access scanning, it does not prevent malicious programs from running. Instead it hangs for three minutes and then allows access.

9.5.0, December 2013
DEF92586 Talpa fails to monitor an NFS mount if it cannot find any files when the filesystem is mounted or on-access scanning is started. 9.5.0, December 2013
DEF92198 If Talpa is enabled, writing a file to an NFS share causes kernel panic on the NFS server. 9.5.0, December 2013
DEF91909 On-access scanning causes very high CPU usage.

The savscand daemon for on-access scanning can get into a loop if a file is truncated during scanning. This is due to the method used for checking for the end of a file.

9.4.1, November 2013
DEF92435 On-access scanning is configured to delete files containing threats automatically but does not do so on some Linux distributions.

On some older Linux distributions (including asianux 3.0), if a user accesses a threat on a root-squashed NFS mount, Talpa does not delete the threat automatically, although it has been configured to do so. The scanner does still detect and report the threat correctly. The user can delete the file manually.

9.4.1, November 2013

Known issues

Issue ID Description
DEF95670 Enterprise Console displays the incorrect version number after an upgrade or downgrade between Recommended and Preview versions.

If you upgrade or downgrade between the Recommended and Preview versions of Sophos Anti-Virus, the product version number displayed in Enterprise Console is not updated. This is because these versions have the same threat detection engine and threat data (changes in the version number are reported only when the detection engine or data version changes). Enterprise Console will display the correct version number as soon as Sophos Anti-Virus receives an automatic update that includes new threat data.

DEF94595 Scanner times out and fails when scanning multiple large files that contain threats

On-access scanning times out and fails if you try to access several large files that contain threats at the same time. You cannot kill the scanning process or unload Talpa. The computer has to be restarted.

WKI67300 On Red Hat Enterprise Linux version 6, desktop pop-up alerts are not displayed.

To fix this problem, install libXpm from the following package on the Red Hat installation DVD:

  • 32-bit versions: libXpm-3.5.8-2.el6.i686.rpm
  • 64-bit versions: libXpm-3.5.8-2.el6.x86_64.rpm

These packages are needed by desktop pop-up alerts but are not installed by default by Red Hat.

DEF18916 On Red Hat Enterprise Linux version 5 64-bit, desktop pop-up alerts are not displayed.

To fix this problem, install libXpm from the following package on the Red Hat installation DVD:

  • libXpm-3.5.5-e.x86_64.rpm

This package is needed by desktop pop-up alerts but is not installed by default by Red Hat.

DEF11871 Desktop pop-up alerts not displayed correctly on Asianux when using unsupported locale.

Desktop pop-up alerts in unsupported locales (zh_CN.UTF-8: Traditional Chinese and Korean) on Japanese installations of Asianux are displayed using identifiers (for example, VIRUS_FOUND_IN_FILE_ACCESS_DENIED) rather than the corresponding English text.

- Local configuration is replaced with Enterprise Console configuration during the upgrade.

When you upgrade to Sophos Anti-Virus 9 on a computer that is managed by Sophos Enterprise Console (SEC) and is configured locally (differs from the SEC policy), the locally configured settings are overwritten by the SEC configuration. However, local configuration that cannot be configured from SEC will not change.

DEF74349 Enterprise Console does not show that a file has been quarantined.

On a Sophos Anti-Virus installation that is managed by Sophos Enterprise Console, if an on-demand scan quarantines a file, savlog shows that the file has been quarantined, but in Enterprise Console, "action taken" is blank.

Additional information

  • Support for SUSE Linux Enterprise Server 9 and TurboLinux 10

    Sophos Anti-Virus 9.2.1 and later is not compatible with the following operating systems:

    For continued support on these platforms continue using Sophos Anti-Virus version 7.x. To prevent automatic upgrade to version 9, you must manually select the "7 Extended Maintenance Recommended" Sophos Update Manager software subscription. For more information, refer to the knowledgebase articles mentioned above.

    Please note that support for both of these platforms will be withdrawn completely in 2013. For more information about product and platform retirement, see

  • Sophos Anti-Virus and PureMessage for UNIX

    If you install Sophos Anti-Virus on a mail server that is running Sophos PureMessage for UNIX, you must make sure that scanning of MIME files is disabled in Sophos Anti-Virus. This is because scanning MIME files with Sophos Anti-Virus might prevent PureMessage from accessing files that contain viruses. By default, MIME scanning is disabled.

  • Installation in non-UTF-8 and non-ASCII encoded locations

    You can't install Sophos Anti-Virus in a location that is specified by a non-UTF-8 and non-ASCII path.

  • Installation on computers using non-UTF-8 and non-ASCII encoding

    On a computer that is using non-UTF-8 and non-ASCII encoding, to install from the deployment package that is created by, run the installation script as follows:

    LANG=C ./sophos-av/
  • Japanese language support

    Sophos Anti-Virus can be installed on computers that are using ja_JP.eucJP and ja_JP.UTF8. Installation on computers with ja_JP.sjis locale (Japanese with Shift-JIS encoding) is not supported.

  • Sophos Remote Management System doesn't start if Sophos Anti-Virus has been installed from NFS filesystem

    If you install Sophos Anti-Virus from an NFS filesystem, Sophos Remote Management System won't start. To work around this, use an alternative installation source instead, for example a Samba share.

Technical support

You can find technical support for Sophos products in any of these ways:

Legal notices

Copyright © 2007–2014 Sophos Limited. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.