Sophos Anti-Virus is software that detects and deals with threats (see http://www.sophos.com/security/): viruses, worms, Trojans, spyware, suspicious files, suspicious behavior, adware, PUAs (potentially unwanted applications), and rootkits, applications that are controlled as part of your company policy, devices that are blocked as part of your company policy
on your computer or network.
In particular, it can:
Sophos Anti-Virus is available on Microsoft Windows as well as a number of Unix platforms.
Sophos Anti-Virus is also included as part of Endpoint Security and Control suite of products.
Product Component | OS Type | Versioning | Pattern Depth |
---|---|---|---|
AntiVirusWindows | Windows | File, Package | Instance-based |
AntiVirusUnix | Unix/Linux | File - may require Active command execution | Instance-based |
Patterns in this module support Windows, and Unix/Linux platforms
Pattern | Trigger Node | Attribute | Condition | Argument |
---|---|---|---|---|
AntiVirusWindows | DiscoveredProcess | cmd | matches | regex '(?i)\bSavService\.exe$' |
AntiVirusLinux | DiscoveredProcess | cmd | matches | regex '\bsavd$' |
The following components/processes are identified using the combination of pattern definitions and simple identity mappings which map known processes of this product
Name | Command |
---|---|
Sophos AutoUpdate service | regex '(?i)\bALsvc\.exe$' |
Sophos Anti-Virus Monitor service | regex '(?i)\bALMon\.exe$' |
Sophos Anti-Virus process | regex '(?i)\bSavService\.exe$' |
Sophos Anti-Virus administrating service | regex '(?i)\bSAVAdminService\.exe$' |
Graphical interface to Sophos Anti-Virus | regex '(?i)\bSavMain\.exe$' |
Sophos Anti-Virus scheduled scans service | regex '(?i)\bBackgroundScanClient\.exe$' |
Sophos Anti-Virus network connecting and downloading service | regex '(?i)\bALUpdate\.exe$' |
Main Sophos Anti-Virus daemon process | regex '\bsavd$' |
Sophos Anti-Virus GUI daemon process | regex '\bsavwebd$' |
Sophos Anti-Virus scaning process | regex '\bsavscan$' |
Version information may be obtained either through parsing of a configuration file (following a registry query) or using package query on Windows and parsing 'version' file on Unix/Linux systems.
Sophos Anti-Virus has a configuration file, factory.xml which amongst other data holds the product version information.
We can determine its location by extracting configuration path from the following registry key:
'HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application\BOPSConfig'.
If the path is obtained, the file is retrieved and XPath TPL function is used to extract the product version (major, minor and build). Otherwise, we use package information to populate version.
On Unix systems a 'version' file exists as part of an installation and it is located in 'engine' directory. By default, Sophos Anti-Virus software is installed into '/opt/sophos-av' directory, but if it's not there, the pattern makes use of the 'locate' command on Linux/BSD systems to find the installation directory location and retrieve the file.
If 'locate' command is used, the command used is:
/usr/bin/locate sophos-av/engine/version
The output of the 'locate' command is parsed using the following regular expression:
((?:/\S+)+/sophos-av/engine/version)
If the file is retrieved, the content is parsed using the following regular expression:
(\d+\.\d+(?:\.\d+))*
If the pattern is unable to extract the version information from a configuration file, on Windows hosts the pattern can query the package management system to obtain the product version from the package, named 'Sophos Anti-Virus'.
The regular expression used to match the package name is:
'^(?i)Sophos\s(\S+\s)?Anti-Virus'
We cannot be certain of obtaining the product version on other Unix platforms, e.g. Solaris.
We obtain the last_update_time of the virus definitions from the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Sophos\\AutoUpdate\\UpdateStatus\\LastUpdateTime
Sophos Anti-Virus software is based on several processes/daemons, which are independent from each other and not creating children processes, but, nevertheless are of importance.
Windows system:
SavService.exe
This is the main Sophos Anti-Virus service that interfaces with the drivers and the user interface. SavService.exe performs virus scanning and disinfection functions.
SAVAdminService.exe
This service provides information about anti-virus protection to Windows Control Center.
SavMain.exe
This is the graphical interface to Sophos Anti-Virus, through which the application is configured and controlled locally.
ALsvc.exe
This is the AutoUpdate service, run as 'System User'.
When the service first starts up it performs an update check to the CID.ALSvc.exe runs a scheduler that triggers scheduled updates. It provides an interface that allows an update to be started.
ALUpdate.exe
ALUpdate.exe is the file responsible for connecting to the network and downloading files.
At the start of an update, the Sophos AutoUpdate Service copies ALUpdate.exe and the required dlls and certificates from the above location to: %windir%\temp\sophos_autoupdate1.dir\ALUpdate.exe.
This allows AutoUpdate to perform an update to itself, if required
ALMon.exe
This process presents the shield icon in the system tray.
ALMon.exe is a DCOM server ("dcomcnfg" - "DCOM Config" - "iMonitor"), which allows Sophos Anti-Virus to display virus alerts to the user desktop.
Unix system:
savd
Main Sophos Anti-Virus daemon process.
savwebd
Sophos Anti-Virus GUI daemon process. Activates GUI, which helps to configure Sophos software on Unix systems.
savscan
Sophos Anti-Virus scaning process. Initiated by user or by the scheduled procedure.
Windows:
This pattern triggers on a process SavService.exe, the main one for the anti virus service.
Since only one installation of this software is assumed to be running on the host, a simple SI key containing the 'type' and 'host key' attributes is used on creation of the Software Instance.
Unix/Linux systems:
This pattern triggers on a process savd, the main anti virus daemon process. Since only one installation of this software is assumed to be running on the host, a simple SI key containing the 'type' and 'host key' attributes is used on creation of the Software Instance.
Build number is currently obtained on Windows machines from configuration file, using xpath.evaluate() function.
On Unix the pattern extracts the build number from full_version variable with help of the following regex:
regex
'^\d+\.\d+\.(\d+)'
Patterns create associating relations between the trigger process and all other Sophos Anti-Virus processes since they are all logically part of the same software instance
Subject Matter Expert input will be welcome on any other potential approaches not discussed to improving product versioning coverage and depth of Sophos Sophos Anti-Virus.
Testing to ensure the processes related to Sophos Anti-Virus have been correctly identified and that the product can be versioned have been run using live discovery against hosts running Red Hat Enterprise Linux Server release 5.1 and on Windows 2003 server operating systems.
http://www.sophos.com/support/knowledgebase/article/36207.html
http://www.sophos.com/support/knowledgebase/article/36262.html#SigAccts
http://www.net-security.org/review.php?id=10
There are no known open issues with this pattern.
Created by: Olexandr Kashkevich 12 Nov 2008
Updated by: Olexandr Kashkevich 13 Apr 2010
Reviewed by: Nikola Vukovljak 13 Nov 2008