[SOLVED] Sophos AV: On-access scanning not available in LXCs

blubber

New Member
Nov 7, 2019
21
0
1
21
Hallo zusammen,

ich habe für den Fileserver (LXC/Debian Buster) sophos for linux installiert. Im Log "/opt/sophos-av/log/savd.log" sehe ich aber folgendes:


Updating SAVScan on-demand scanner
Updating Virus Engine and Data
Updating Talpa Kernel Support
Updating Manifest
Selecting appropriate kernel support...
On-access scanning not available because of problems during kernel support compilation.
Update completed.</arg></log>
<log><category>update.updated</category><level>NOTICE</level><domain>savupdate</domain><msg>UPDATED_TO_VERSION %s %s %s</msg><time>1580293420</time><arg>9.16.0</arg><arg>3.77.1</arg><arg>5.71</arg></log>
<log><category>update.updated</category><level>NOTICE</level><domain>savupdate</domain><msg>SUCCESSFULLY_UPDATED_FROM %s</msg><time>1580293420</time><arg>sdds:SOPHOS</arg></log>
<log><category>update.check</category><level>INFO</level><domain>savupdate</domain><msg>SUCCESSFULLY_UPDATED_FROM %s</msg><time>1580293574</time><arg>sdds:SOPHOS</arg></log>


Die On-Access Funktion war/ist eigentlich unabdingbar für meinen Fileserver. Hat das Thema schon wer gehabt bzw. auch eine Lösung?

Vielen Dank im Voraus.
 
Jan 29, 2017
152
10
23
43
cat /opt/sophos-av/etc/savd.cfg

<?xml version="1.0" encoding="UTF-8" ?><!DOCTYPE SophosAntiVirus SYSTEM "savd.dtd"><SophosAntiVirus xmlns="savd.xsd"><Sophos><OnAccess><EnableOnStart>true</EnableOnStart><Quarantine>false</Quarantine><TakeActionOnClose>false</TakeActionOnClose><RestrictProcessExclusions>false</RestrictProcessExclusions><OnEnable><StartupTimeoutMs>60000</StartupTimeoutMs><Scan /><NoScan /></OnEnable><OnDisable><StopTimeoutMs>30000</StopTimeoutMs><ScanTimeoutMs>10000</ScanTimeoutMs><Scan /><NoScan /></OnDisable><Scanner><HookModule>talpa_vfshook</HookModule><Processes>2</Processes><ThreadsPerProcess>5</ThreadsPerProcess><AdaptiveThreading>true</AdaptiveThreading><MaximumThreads>5</MaximumThreads><MissingHeartbeatDurationSec>60</MissingHeartbeatDurationSec><AutomaticAction /><DenyOnDetectionError>false</DenyOnDetectionError><DenyOnOperatingSystemError>true</DenyOnOperatingSystemError><DenyOnCorruptFile>false</DenyOnCorruptFile><AllowIfEncrypted>false</AllowIfEncrypted><AllowIfPartVolume>false</AllowIfPartVolume><AllowIfNotSupported>false</AllowIfNotSupported><AllowCorruptInCleanArchive>true</AllowCorruptInCleanArchive><TalpaDevicePath>/dev/sophos-vc</TalpaDevicePath><TalpaVettingTimeoutMs>100</TalpaVettingTimeoutMs><TalpaVettingGroup>0</TalpaVettingGroup><FileCacheSizeBytes>4096</FileCacheSizeBytes><UseExtendedRegex>true</UseExtendedRegex><GracePeriods><StopTimeoutMs>20000</StopTimeoutMs><KillTimeoutMs>2000</KillTimeoutMs></GracePeriods><RespawnThrottling><Limit>5</Limit><Max>10</Max><PeriodDurationMs>20000</PeriodDurationMs></RespawnThrottling><ExclusionEncodings>UTF-8</ExclusionEncodings><ExclusionEncodings>EUC-JP</ExclusionEncodings><ExclusionEncodings>ISO-8859-1</ExclusionEncodings><FileExclusions><Glob /><Expression /></FileExclusions><MountExclusions><DeviceExpression /><DeviceGlob /><MountpointExpression /></MountExclusions><ThreatDetection><U32><EnableAutoStop>0</EnableAutoStop><ExecFileDisinfection>1</ExecFileDisinfection><Xml>0</Xml><SXLLiveProtection>0</SXLLiveProtection></U32><U16 /><STR /><VirusDataDir>./lib/sav</VirusDataDir><IdeDir>./lib/sav</IdeDir><UseSharedMemory>false</UseSharedMemory><SXL><ServerList>00010203</ServerList><TopLevelDomain>nix.sophosxl.net</TopLevelDomain></SXL></ThreatDetection></Scanner><Talpa><intercept-filters><Cache><fstypes>ext3</fstypes><fstypes>ext4</fstypes><fstypes>zfs</fstypes><fstypes>tmpfs</fstypes><fstypes>devtmpfs</fstypes><fstypes>iso9660</fstypes><fstypes>udf</fstypes><fstypes>xfs</fstypes><fstypes>reiserfs</fstypes><fstypes>jfs</fstypes><fstypes>vfat</fstypes><fstypes>msdos</fstypes><fstypes>ntfs</fstypes><fstypes>hfs</fstypes><fstypes>minix</fstypes><fstypes>ramfs</fstypes><fstypes>romfs</fstypes><fstypes>ufs</fstypes><fstypes>umsdos</fstypes><fstypes>xenix</fstypes><fstypes>cramfs</fstypes><status>enable</status></Cache><DebugSyslog><status>disable</status></DebugSyslog><FilesystemExclusionProcessor><paths /><fstypes /></FilesystemExclusionProcessor><FilesystemInclusionProcessor><status>false</status><include-path>/</include-path></FilesystemInclusionProcessor><VettingController><timeout-ms>10000</timeout-ms><fs-timeout-ms>60000</fs-timeout-ms><timeout-deny>true</timeout-deny><xsmartsched-fix>true</xsmartsched-fix><interruptible>false</interruptible></VettingController></intercept-filters></Talpa><Fanotify><ExcludeFilesystems /></Fanotify><PreferFanotify>false</PreferFanotify><DisableFanotify>true</DisableFanotify></OnAccess><Notification><debug>False</debug><QueueLimit>50</QueueLimit><Notifiers><Log><Status>True</Status><Location>./log</Location><Prefix>savd</Prefix><MaxSizeMiB>100</MaxSizeMiB><ErrorCategory>log.error</ErrorCategory><ThreatCategory>log.threat</ThreatCategory></Log><Syslog><Status>True</Status><Facility>DAEMON</Facility></Syslog><UI><Status>enabled</Status><ttynotification>True</ttynotification><popupNotification>True</popupNotification><Message><ContactMessage /></Message></UI><Email><Status>enabled</Status><Server>localhost:25</Server><SendThreatEmail>true</SendThreatEmail><SendScanErrorEmail>true</SendScanErrorEmail><SendErrorEmail>true</SendErrorEmail><SendLogEmailLevel>FATAL</SendLogEmailLevel><SendDemandSummaryAlways>false</SendDemandSummaryAlways><SendDemandSummaryIfThreat>true</SendDemandSummaryIfThreat><Message><ThreatMessage /><ScanErrorMessage /><LogMessage /></Message><EmailLanguage>English</EmailLanguage><AlwaysSend><MsgID>USING_BACKUP_CONFIGURATION</MsgID><MsgID>ALL_UPDATE_SOURCES_FAILED</MsgID><MsgID>RESPAWN-LIMIT</MsgID><MsgID>VIRUS-DATA-OLD</MsgID><MsgID>TALPA-FAILURE</MsgID><MsgID>TALPA-COMPILED</MsgID></AlwaysSend><Recipient><To>root@localhost</To></Recipient><Log>true</Log></Email></Notifiers></Notification><OnDemand><LogStartStop>true</LogStartStop><LogDetails>true</LogDetails></OnDemand><Core /><WebUI><HttpPort>8081</HttpPort><Username>admin</Username><Password /></WebUI><CID><SophosUpdateLocation locked="true">sdds:SOPHOS</SophosUpdateLocation><NotifyOnUpdate>false</NotifyOnUpdate><NotifyOnCheck>false</NotifyOnCheck></CID><Update><EnableAutoUpdating>true</EnableAutoUpdating><Primary><Policy>recommended</Policy><UseHttps>true</UseHttps></Primary><Secondary><UseHttps>true</UseHttps></Secondary><UpdateHttpsAllowDowngradeToHttp>true</UpdateHttpsAllowDowngradeToHttp></Update><LogPrimaryUpdateError>true</LogPrimaryUpdateError><DetectionFeedback><MaxQueueSize>8192</MaxQueueSize><LookupDomain>samples.sophosxl.net</LookupDomain><UploadURL>samples.sophosxl.net</UploadURL><UploadFiles>false</UploadFiles><UploadTimeout>120</UploadTimeout></DetectionFeedback></Sophos><Corporate /><Machine><OnAccess><DisableFanotify>0</DisableFanotify></OnAccess></Machine><User><OnAccess><EnableOnStart>1</EnableOnStart><Scanner><ThreatDetection><U32><SXLLiveProtection>1</SXLLiveProtection></U32></ThreatDetection></Scanner></OnAccess><Update>

Mein Trick waren die fstypes...habe bei mir ext2 gegen zfs getauscht.
 

blubber

New Member
Nov 7, 2019
21
0
1
21
das scheint wohl geholfen zu haben, die Meldung erscheint nicht mehr.

Nur wie hast du das mit den KernelHeaders gemacht? Die quellen vom PVE eingebunden?

Code:
Linux distribution: [debian]
Product: [Debian GNU/Linux bullseye/sid]
Kernel: [5.3.13-1-pve]
Multiprocessor support enabled.
Searching for source pack...
Searching for suitable binary pack...
No suitable binary pack available.
Preparing for build...
Extracting sources...
Configuring build of version 1.25.3...
Error: Failed to prepare the source code for build. Kernel headers not found. Install kernel headers.
Waiting for sav-protect...
 

blubber

New Member
Nov 7, 2019
21
0
1
21
d.h. das binary auf einem anderem pve system kompilieren lassen? Oder wie soll ich mit dem Fehler umgehen? ;)
 
Jan 29, 2017
152
10
23
43
gar nicht...die headers braucht man auf einem "echten" system nur für das talpa on acces module..welches aber auf einem lxc container nicht läuft

also ignore :)
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE and Proxmox Mail Gateway. We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get your own in 60 seconds.

Buy now!