Skip to content
Last update: 2022-07-08

Server Protection agent

Sophos Protection for Linux has an agent called Server Protection, which you can use to run on-demand scans on your Linux devices. Server Protection is an antivirus scanner (avscanner). Server Protection doesn't support detecting and removing Potentially Unwanted Applications (PUAs).

The Server Protection installation directory ($PLUGIN_INST) is $INST/plugins/av.

Before you start using Server Protection, you need to check that /usr/local/bin/ is in your path.

avscanner is a full file scanner and you can find it in /opt/sophos-spl/plugins/av/bin/avscanner.

You can scan a file, archive, or directory.

You can add options when you run a scan from the command line.

To do this, enter avscanner PATH \[OPTION\].

\[OPTION\] is one of the command-line options shown in the following table.

Command-line option Description



Print this help message



Scan inside archives



Follow symlinks when scanning


--exclude EXCLUSION...

Exclude these locations from being scanned


--output OUTPUT...

Write to log file


--log-level LOGLEVEL...

Set the log level.

This sets the log level for avscanner only. It doesn't change the log level for the other Sophos Protection for Linux components.

You can use wildcards. If you use wildcards, you need to know the following:

  • The shell expands wildcards before avscanner sees the options.
  • If you use escaped or quoted wildcards, avscanner uses them. They work in the same way as wildcards do for scheduled scan exclusions. See Linux scanning exclusions.

If you try to run an on-demand scan while one is already running, a refusal to scan message appears in the log file. You can find this in /opt/sophos-sspl/plugins/av/log/av.log. See “Log files”.

Example commands

Here are some example commands.

Command Description
avscanner / --scan-archives Scan the root directory (recursively including dot files or directories) including the contents of any archive files.
avscanner / --follow-symlinks Scan the root directory and follow any symlinks.
avscanner /usr --exclude /usr/local/ Scan the /usr directory excluding /usr/local.
avscanner folder --exclude '\*.log' Scan the folder directory but exclude any filenames with a .log file extension.
avscanner foo.exe -o scan.log Scan the file foo.exe and redirect the output to a log file called scan.log.
avscanner / --log-level info Scan the root directory with log level set to info.

Log files

You can find the log files in /opt/sophos-sspl/plugins/av/log/.

To change the log level, do as follows:

  1. Edit /opt/sophos-spl/base/etc/logger.conf and set the level.
  2. Restart the plugin by entering systemctl restart sophos-spl.

You can also override the log level on the command line when you run a scan.