Skip to content

Server Protection agent


If you use Sophos XDR Sensor, this feature isn't available.

Sophos Protection for Linux has an agent called Server Protection, which you can use to run on-demand scans on your Linux devices. Server Protection is an antivirus scanner (avscanner).

The Server Protection installation directory is /opt/sophos-spl/plugins/av.

Before you start using Server Protection, you need to check that /usr/local/bin/ is in your path.

avscanner is a full file scanner and you can find it in /opt/sophos-spl/plugins/av/bin/avscanner.

You can scan a file, archive, or directory.

You can run multiple scans at the same time using multiple terminals.

Command-line options

You can add options when you run a scan from the command line.

To do this, enter avscanner PATH OPTION.

The avscanner command supports the following command-line options:


Print the avscanner help.

  • -h
  • --help

Scan archives

Scan inside archives.

  • -a
  • --scan-archives

Disk images

Scan inside disk images.

  • -i
  • --scan-images

Detect PUAs

Set avscanner to detect Potentially Unwanted Applications (PUAs) during a scan. Disabled by default.

  • -p
  • --detect-puas

Exclude PUAs

Exclude specific PUA detections from being reported.

  • --exclude-puas <THREAT>

Trailing argument

Comma-separated list of the PUA detections you want to exclude.


You can exclude a PUA detection by name, for example "PsExec" or "Cain n Abel". You can find the name of the detection in the logs or on the Sophos website. See Adware and PUAs.

Follow symbolic links when scanning.

  • -s
  • --follow-symlinks


Exclude locations from being scanned.

  • -x
  • --exclude <EXCLUSION>

Trailing argument

Path to the location you want to exclude. Exclusions use the same syntax as Sophos Central exclusions. See Scanning exclusions.


Path exclusions in Sophos Central don’t apply to command-line scans. You must use --exclude to manually exclude items from scanning. Files allowed by hash in Sophos Central are still allowed during command-line scans.


Send the output to a log file.

  • -o
  • --output <OUTPUT>

Trailing argument

Path to the file you want to write the output to.

Log level

Set the log level. This sets the log level for avscanner only. It doesn't change the log level for the other Sophos Protection for Linux components.

  • -l
  • --log-level <LOGLEVEL>

Trailing argument

The logging level you want to set.

Available options are: DEBUG, SUPPORT, INFO, WARN, or ERROR.


You can use wildcards. If you use wildcards, you need to know the following:

  • The shell expands wildcards before avscanner sees the options.
  • If you use escaped or quoted wildcards, avscanner uses them. They work in the same way as wildcards do for scheduled scan exclusions. See Linux scanning exclusions.

If you try to run an on-demand scan while one is already running, a refusal to scan message appears in the log file. You can find this in /opt/sophos-sspl/plugins/av/log/av.log. See “Log files”.

Example commands

Scan the root directory (recursively including dot files or directories) including the contents of any archive files:

avscanner / --scan-archives

Scan the root directory and follow any symlinks:

avscanner / --follow-symlinks

Scan the /usr directory excluding /usr/local:

avscanner /usr --exclude /usr/local/

Scan the folder directory but exclude any filenames with a .log file extension:

avscanner folder --exclude '\*.log'

Scan the file foo.exe and redirect the output to a log file called scan.log:

avscanner foo.exe -o scan.log

Scan the root directory with log level set to info:

avscanner / --log-level info

On-demand scan return codes

avscanner returns a code to the shell that indicates the result of a scan. You can see the code by entering a command after the scan has finished.


echo $?

This table lists common avscanner return codes. There are other return codes that may be shown, which are used for additional troubleshooting by Sophos Support.

Return code Description
0 Successful scan. No errors and no detections.

Survivable error. Scan will continue.

Check av.log for more information.

16 Password-protected file found.
24 Malicious file found and not cleaned.

Unsurvivable error. Scan aborted.

Check av.log for more information.

40 Scan is interrupted.