Installing avfilter

[Home] [Download] [Upgrading Sophos]

Typical install

  1. ./configure 'CFLAGS=your flags'
    if courier-config is not in PATH you may need to provide some options manually.

  2. make

  3. Optionally ensure the code is portable to your platform by
    make check

  4. if you have avfilter already running, you probably better
    courierfilter stop

  5. su
    make install

  6. Optionally, install email driven virus updates. It consists in setting up a user who receives the updatealerts from Sophos, and runs a filter that adds the result of getting the updates on the message that triggered it. Sophos discourage this practice. Edit the distributed etc/ review it carefully and save the result as
     -rwxr-x---  root      sweep    /usr/local/sbin/

    This description assumes sweep and courier are the user and group name used by sophos and courier. It also assumes that /usr/local/sbin/ is hardcoded in run_get_ides, as is by default. Then you need to add the setuid bit to the other two executables. Some minimal permissions are

     -rwsr-x---  root      courier  /usr/local/bin/run_get_ides
     -rwsr-xr-x  courier   courier  /usr/local/sbin/avfilter_sig

    Edit .mailfilter of the alerts' recipient getting inspiration from the distributed etc/dotmailfilter. Using -D uid/gid (with the numbers you get from id sweep) run_get_ides will set the given values as soon as it has read the command line options. It has to be root for doing that. It will then run, which will run a copy of itself via lockmail. If updates are available, the copy will finally run avfilter_sig, which needs the permission in order to signal avfilter. YMMV.

    Test the above works by sending a message to the alerts' recipient. run_get_ides writes critical errors on the mail syslog when it cannot run. Errors that don't depend on local setup are written in the message subject and body.

    UPDATE v2.8: Sophos' updatealert seems to still allow subscriptions. However, they don't send alerts. The knowledgebase article that used to explain how that list works, article/31130.html, has gone. The article for non-Windows updates, article/10378.html, is outdated, as it mentions unexisting IDE digests. I'd advise non-Windows users to look for another AV provider.

    Nevertheless, calling run_get_ides from a cron job seems to work. The -s 304 switch is new of version 2.8, to skip any reporting in case the result is "304: not modified". For example, in a crontable entry like so:

    # check sophos every 30 minutes (sophos/sophos = 123/456: run `id sophos` to find out)
    */30 *	* * *	root	/usr/local/bin/run_get_ides -t 600 -D 123/456 -s 304 noretry >> /some/daily/report

  7. Review avfilter.conf; install should leave any existing file unchanged and only put avfilter.conf.dist. Since version 2.5 the mode = all flag is specified in the configuration file.

  8. courierfilter start
    or, if you didn't stop it in step 4; i.e. if it is the first install
    filterctl start avfilter

  9. Run new. The virus database version is cached, so you need the new parameter to initialize it, as well as after upgrading sweep.

What gets installed

By directory, make install delivers the following:

Deleting mail

A daily cleanup job should include purging mail for users that don't do it themselves. The alert user is one of those, which is why this topic is here. The following example makes several assumptions: just grab the idea and suit it to you needs.

# set DAYS HOMEDIR pairs
set \
365 \

while test $# -gt 1
	if [ -d "$NEWMAILDIR" ]; then
		find "$NEWMAILDIR" -type f -mtime +$DAYS \
			-name '*servername*' -print0 |\
				xargs -0r rm -f
	shift 2

Upgrading Sophos software and virus database

Please check Sophos documentation for running You need -so option for linking. You don't need InterCheck to run avfilter, so you may also specify -ni -nidc unless you want it for some other reason.

Note on glibc version: glibc is obviously the GNU libc. libc5 was not GNU; glibc 2.0 was the first GNU libc on Linux and it has been called libc6 for coherence. You may run as an executable to learn its GNU version number, which is probably above 2.2.

When you install a new version, you're not actually overwriting the shared library, but installing a new one. (Very old libraries are deleted by SAV Therefore you may install it while avfilter is running, but you must then stop and re-start avfilter to make it link with the new library. The sequence of commands might be as follows:

  1. courierfilter stop
  2. ./ -so and whatever other options
  3. courierfilter start to restart filtering
  4. new to get updates for the new virus database

After courierfilter stop, receiving new mail is deferred with the 423 Mail filters temporarily unavailable response until courierfilter starts again. Note that when courierfilter start returns, the filters are guaranteed to have completed their installation, which for avfilter includes loading the virus data base. See courierfilter(8)for further details.

Your mileage and your objectives may vary. Every few months, you should also run avfilter --config to learn about new options that Sophos may have introduced and add any to avfilter.conf.

[Back to Intro]

Have fun!

Copyright © 2001-2010 Alessandro Vesely. All rights reserved.