Sophos Anti-Virus

Related topics
Product name
Publisher page
  • [Sophos|Sophos]
Secure Content and Threat Management
TKU 2018-Dec-1
More information
Publisher link

Product Description

Sophos Anti-Virus is software that detects and deals with threats (see viruses, worms, Trojans, spyware, suspicious files, suspicious behavior, adware, PUAs (potentially unwanted applications), and rootkits, applications that are controlled as part of your company policy, devices that are blocked as part of your company policy
on your computer or network.

In particular, it can:

  • scan your computer or network for threats, and controlled applications
  • check if each file you access is a threat or controlled application
  • check if each web page you view contains a threat (applies only to Internet Explorer version 6 or later)
  • alert you when it finds a threat, controlled application, or blocked device
  • clean up infected items
  • stop suspicious behavior
  • prevent adware and PUAs from running on your computer
  • clean adware and PUAs from your computer
  • keep a log of its activity
  • be updated to detect the latest threats.

Sophos Anti-Virus is available on Microsoft Windows as well as a number of Unix platforms.

Sophos Anti-Virus is also included as part of Endpoint Security and Control suite of products.

Known Versions

  • 1.0
  • 4.35
  • 4.7
  • 6.4
  • 7.0
  • 7.6

Software Pattern Summary

Product ComponentOS TypeVersioningPattern Depth
AntiVirusWindowsWindowsFile, PackageInstance-based
AntiVirusUnixUnix/LinuxFile - may require Active command executionInstance-based

Platforms Supported by the Pattern

Patterns in this module support Windows, and Unix/Linux platforms


Software Instance Triggers

PatternTrigger NodeAttributeConditionArgument
AntiVirusWindowsDiscoveredProcesscmdmatchesregex '(?i)\bSavService\.exe$'
AntiVirusLinuxDiscoveredProcesscmdmatchesregex '\bsavd$'

Simple Identification Mappings

The following components/processes are identified using the combination of pattern definitions and simple identity mappings which map known processes of this product

Sophos AutoUpdate serviceregex '(?i)\bALsvc\.exe$'
Sophos Anti-Virus Monitor serviceregex '(?i)\bALMon\.exe$'
Sophos Anti-Virus processregex '(?i)\bSavService\.exe$'
Sophos Anti-Virus administrating serviceregex '(?i)\bSAVAdminService\.exe$'
Graphical interface to Sophos Anti-Virusregex '(?i)\bSavMain\.exe$'
Sophos Anti-Virus scheduled scans serviceregex '(?i)\bBackgroundScanClient\.exe$'
Sophos Anti-Virus network connecting and downloading serviceregex '(?i)\bALUpdate\.exe$'
Main Sophos Anti-Virus daemon processregex '\bsavd$'
Sophos Anti-Virus GUI daemon processregex '\bsavwebd$'
Sophos Anti-Virus scaning processregex '\bsavscan$'


Version information may be obtained either through parsing of a configuration file (following a registry query) or using package query on Windows and parsing 'version' file on Unix/Linux systems.

File Parsing


Sophos Anti-Virus has a configuration file, factory.xml which amongst other data holds the product version information.
We can determine its location by extracting configuration path from the following registry key:


If the path is obtained, the file is retrieved and XPath TPL function is used to extract the product version (major, minor and build). Otherwise, we use package information to populate version.


On Unix systems a 'version' file exists as part of an installation and it is located in 'engine' directory. By default, Sophos Anti-Virus software is installed into '/opt/sophos-av' directory, but if it's not there, the pattern makes use of the 'locate' command on Linux/BSD systems to find the installation directory location and retrieve the file.

If 'locate' command is used, the command used is:

/usr/bin/locate sophos-av/engine/version

The output of the 'locate' command is parsed using the following regular expression:

If the file is retrieved, the content is parsed using the following regular expression:

Package Versioning

If the pattern is unable to extract the version information from a configuration file, on Windows hosts the pattern can query the package management system to obtain the product version from the package, named 'Sophos Anti-Virus'.
The regular expression used to match the package name is:


Future Considerations

We cannot be certain of obtaining the product version on other Unix platforms, e.g. Solaris.

Additional Attributes

We obtain the last_update_time of the virus definitions from the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Sophos\\AutoUpdate\\UpdateStatus\\LastUpdateTime

Application Model Produced by Software Pattern

Product Architecture

Sophos Anti-Virus software is based on several processes/daemons, which are independent from each other and not creating children processes, but, nevertheless are of importance.

Windows system:

This is the main Sophos Anti-Virus service that interfaces with the drivers and the user interface. SavService.exe performs virus scanning and disinfection functions.

This service provides information about anti-virus protection to Windows Control Center.

This is the graphical interface to Sophos Anti-Virus, through which the application is configured and controlled locally.

This is the AutoUpdate service, run as 'System User'.
When the service first starts up it performs an update check to the CID.ALSvc.exe runs a scheduler that triggers scheduled updates. It provides an interface that allows an update to be started.

ALUpdate.exe is the file responsible for connecting to the network and downloading files.
At the start of an update, the Sophos AutoUpdate Service copies ALUpdate.exe and the required dlls and certificates from the above location to: %windir%\temp\sophos_autoupdate1.dir\ALUpdate.exe.
This allows AutoUpdate to perform an update to itself, if required

This process presents the shield icon in the system tray.
ALMon.exe is a DCOM server ("dcomcnfg" - "DCOM Config" - "iMonitor"), which allows Sophos Anti-Virus to display virus alerts to the user desktop.

Unix system:


Main Sophos Anti-Virus daemon process.


Sophos Anti-Virus GUI daemon process. Activates GUI, which helps to configure Sophos software on Unix systems.


Sophos Anti-Virus scaning process. Initiated by user or by the scheduled procedure.

Software Pattern Model


This pattern triggers on a process SavService.exe, the main one for the anti virus service.
Since only one installation of this software is assumed to be running on the host, a simple SI key containing the 'type' and 'host key' attributes is used on creation of the Software Instance.

Unix/Linux systems:

This pattern triggers on a process savd, the main anti virus daemon process. Since only one installation of this software is assumed to be running on the host, a simple SI key containing the 'type' and 'host key' attributes is used on creation of the Software Instance.


Build number is currently obtained on Windows machines from configuration file, using xpath.evaluate() function.
On Unix the pattern extracts the build number from full_version variable with help of the following regex:
regex '^\d+\.\d+\.(\d+)'

Relationship Creation

Patterns create associating relations between the trigger process and all other Sophos Anti-Virus processes since they are all logically part of the same software instance

Subject Matter Expertise

Subject Matter Expert input will be welcome on any other potential approaches not discussed to improving product versioning coverage and depth of Sophos Sophos Anti-Virus.


Testing to ensure the processes related to Sophos Anti-Virus have been correctly identified and that the product can be versioned have been run using live discovery against hosts running Red Hat Enterprise Linux Server release 5.1 and on Windows 2003 server operating systems.

Information Sources

Open Issues

There are no known open issues with this pattern.

Created by: [Olexandr Kashkevich|User Olexandr Kashkevich] 12 Nov 2008
Updated by: [Olexandr Kashkevich|User Olexandr Kashkevich] 13 Apr 2010
Reviewed by: [Nikola Vukovljak|User Nikola Vukovljak] 13 Nov 2008

Was this page helpful? Yes No Submitting... Thank you