• Spaces
  • People
  • Help
    • BMC Support Central BMC Communities BMC.com
    ×
    Configipedia

    Page tree
    Skip to end of metadata
    Go to start of metadata
    Discover with BMC Discovery
    download

    This product can be discovered by any edition of BMC Discovery. Download our free Community Edition to try it out, or [see what else it can discover] !

    What is this?
    This is a product information page, containing details of the information that BMC Discovery gathers about a product and how it is obtained.
    Product Name
    Anti-Virus
    Publisher Page
    Sophos
    Category
    Secure Content and Threat Management
    Release
    TKU 2018-Dec-1
    Change History
    Sophos Anti-Virus - Change History
    Reports & Attributes
    Sophos Anti-Virus - Reports & Attributes
    Publisher Link
    Sophos

    Product Description

    Sophos Anti-Virus is software that detects and deals with threats (see http://www.sophos.com/security/): viruses, worms, Trojans, spyware, suspicious files, suspicious behavior, adware, PUAs (potentially unwanted applications), and rootkits, applications that are controlled as part of your company policy, devices that are blocked as part of your company policy
    on your computer or network.

    In particular, it can:

    • scan your computer or network for threats, and controlled applications
    • check if each file you access is a threat or controlled application
    • check if each web page you view contains a threat (applies only to Internet Explorer version 6 or later)
    • alert you when it finds a threat, controlled application, or blocked device
    • clean up infected items
    • stop suspicious behavior
    • prevent adware and PUAs from running on your computer
    • clean adware and PUAs from your computer
    • keep a log of its activity
    • be updated to detect the latest threats.

    Sophos Anti-Virus is available on Microsoft Windows as well as a number of Unix platforms.

    Sophos Anti-Virus is also included as part of Endpoint Security and Control suite of products.

    Known Versions

    • 1.0
    • 4.35
    • 4.7
    • 6.4
    • 7.0
    • 7.6

    Software Pattern Summary

    Product ComponentOS TypeVersioningPattern Depth
    AntiVirusWindowsWindowsFile, PackageInstance-based
    AntiVirusUnixUnix/LinuxFile - may require Active command executionInstance-based

    Platforms Supported by the Pattern

    Patterns in this module support Windows, and Unix/Linux platforms

    Identification

    Software Instance Triggers

    PatternTrigger NodeAttributeConditionArgument
    AntiVirusWindowsDiscoveredProcesscmdmatchesregex '(?i)\bSavService\.exe$'
    AntiVirusLinuxDiscoveredProcesscmdmatchesregex '\bsavd$'

    Simple Identification Mappings

    The following components/processes are identified using the combination of pattern definitions and simple identity mappings which map known processes of this product

    NameCommand
    Sophos AutoUpdate serviceregex '(?i)\bALsvc\.exe$'
    Sophos Anti-Virus Monitor serviceregex '(?i)\bALMon\.exe$'
    Sophos Anti-Virus processregex '(?i)\bSavService\.exe$'
    Sophos Anti-Virus administrating serviceregex '(?i)\bSAVAdminService\.exe$'
    Graphical interface to Sophos Anti-Virusregex '(?i)\bSavMain\.exe$'
    Sophos Anti-Virus scheduled scans serviceregex '(?i)\bBackgroundScanClient\.exe$'
    Sophos Anti-Virus network connecting and downloading serviceregex '(?i)\bALUpdate\.exe$'
    Main Sophos Anti-Virus daemon processregex '\bsavd$'
    Sophos Anti-Virus GUI daemon processregex '\bsavwebd$'
    Sophos Anti-Virus scaning processregex '\bsavscan$'

    Versioning

    Version information may be obtained either through parsing of a configuration file (following a registry query) or using package query on Windows and parsing 'version' file on Unix/Linux systems.

    File Parsing

    Windows

    Sophos Anti-Virus has a configuration file, factory.xml which amongst other data holds the product version information.
    We can determine its location by extracting configuration path from the following registry key:

    'HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application\BOPSConfig'.

    If the path is obtained, the file is retrieved and XPath TPL function is used to extract the product version (major, minor and build). Otherwise, we use package information to populate version.

    Unix

    On Unix systems a 'version' file exists as part of an installation and it is located in 'engine' directory. By default, Sophos Anti-Virus software is installed into '/opt/sophos-av' directory, but if it's not there, the pattern makes use of the 'locate' command on Linux/BSD systems to find the installation directory location and retrieve the file.

    If 'locate' command is used, the command used is:

    /usr/bin/locate sophos-av/engine/version

    The output of the 'locate' command is parsed using the following regular expression:
    ((?:/\S+)+/sophos-av/engine/version)

    If the file is retrieved, the content is parsed using the following regular expression:
    (\d+\.\d+(?:\.\d+))*

    Package Versioning

    If the pattern is unable to extract the version information from a configuration file, on Windows hosts the pattern can query the package management system to obtain the product version from the package, named 'Sophos Anti-Virus'.
    The regular expression used to match the package name is:

    '^(?i)Sophos\s(\S+\s)?Anti-Virus'

    Future Considerations

    We cannot be certain of obtaining the product version on other Unix platforms, e.g. Solaris.

    Additional Attributes

    We obtain the last_update_time of the virus definitions from the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Sophos\\AutoUpdate\\UpdateStatus\\LastUpdateTime

    Application Model Produced by Software Pattern

    Product Architecture

    Sophos Anti-Virus software is based on several processes/daemons, which are independent from each other and not creating children processes, but, nevertheless are of importance.

    Windows system:

    SavService.exe
    This is the main Sophos Anti-Virus service that interfaces with the drivers and the user interface. SavService.exe performs virus scanning and disinfection functions.

    SAVAdminService.exe
    This service provides information about anti-virus protection to Windows Control Center.

    SavMain.exe
    This is the graphical interface to Sophos Anti-Virus, through which the application is configured and controlled locally.

    ALsvc.exe
    This is the AutoUpdate service, run as 'System User'.
    When the service first starts up it performs an update check to the CID.ALSvc.exe runs a scheduler that triggers scheduled updates. It provides an interface that allows an update to be started.

    ALUpdate.exe
    ALUpdate.exe is the file responsible for connecting to the network and downloading files.
    At the start of an update, the Sophos AutoUpdate Service copies ALUpdate.exe and the required dlls and certificates from the above location to: %windir%\temp\sophos_autoupdate1.dir\ALUpdate.exe.
    This allows AutoUpdate to perform an update to itself, if required

    ALMon.exe
    This process presents the shield icon in the system tray.
    ALMon.exe is a DCOM server ("dcomcnfg" - "DCOM Config" - "iMonitor"), which allows Sophos Anti-Virus to display virus alerts to the user desktop.

    Unix system:

    savd

    Main Sophos Anti-Virus daemon process.

    savwebd

    Sophos Anti-Virus GUI daemon process. Activates GUI, which helps to configure Sophos software on Unix systems.

    savscan

    Sophos Anti-Virus scaning process. Initiated by user or by the scheduled procedure.

    Software Pattern Model

    Windows:

    This pattern triggers on a process SavService.exe, the main one for the anti virus service.
    Since only one installation of this software is assumed to be running on the host, a simple SI key containing the 'type' and 'host key' attributes is used on creation of the Software Instance.

    Unix/Linux systems:

    This pattern triggers on a process savd, the main anti virus daemon process. Since only one installation of this software is assumed to be running on the host, a simple SI key containing the 'type' and 'host key' attributes is used on creation of the Software Instance.

    Build

    Build number is currently obtained on Windows machines from configuration file, using xpath.evaluate() function.
    On Unix the pattern extracts the build number from full_version variable with help of the following regex:
    regex '^\d+\.\d+\.(\d+)'

    Relationship Creation

    Patterns create associating relations between the trigger process and all other Sophos Anti-Virus processes since they are all logically part of the same software instance

    Subject Matter Expertise

    Subject Matter Expert input will be welcome on any other potential approaches not discussed to improving product versioning coverage and depth of Sophos Sophos Anti-Virus.

    Testing

    Testing to ensure the processes related to Sophos Anti-Virus have been correctly identified and that the product can be versioned have been run using live discovery against hosts running Red Hat Enterprise Linux Server release 5.1 and on Windows 2003 server operating systems.

    Information Sources

    http://www.sophos.com/support/knowledgebase/article/36207.html

    http://www.sophos.com/support/knowledgebase/article/36262.html#SigAccts

    http://www.net-security.org/review.php?id=10

    Open Issues

    There are no known open issues with this pattern.

    TOP

    Created by: Olexandr Kashkevich 12 Nov 2008
    Updated by: Olexandr Kashkevich 13 Apr 2010
    Reviewed by: Nikola Vukovljak 13 Nov 2008
    © Copyright 2005-2020 BMC Software, Inc.