Sophos Protection for Linux
You can run a scan using Sophos Protection for Linux from the command line.
Sophos Protection for Linux has an agent called Server Protection, which you can use to run on-demand scans on your Linux devices. See Server Protection agent.
You can also schedule a scan from Sophos Central.
How to manage Sophos Protection for Linux
You manage Sophos Protection for Linux in Sophos Central. You can do the following:
- Install Sophos Protection for Linux on your devices. See Server Protection.
- Manage your Linux devices. See Servers.
- Manage antivirus and threat protection settings using threat protection policies. See Server Threat Protection Policy.
Manage when Sophos Protection for Linux updates on your devices. See Server Updating Policy.
Sophos Central applies the first appropriate updating policy to your Linux devices. See About Policies.
The Sophos Protection for Linux installation directory ($INST) is
Events are logged in
/opt/sophos-spl/plugins/av/log/av.log before being sent to Sophos Protection for Linux.
Server Protection agent
The Server Protection version number shown in Sophos Central under Installed component versions for a Linux device should match that reported on the device in
Server Protection is an antivirus scanner (
avscanner). Server Protection doesn't support detecting and removing Potentially Unwanted Applications (PUAs).
The Server Protection installation directory ($PLUGIN_INST) is
Before you start using Server Protection, you need to check that
/usr/local/bin/ is in your path.
avscanner is a full file scanner and you can find it in
You can scan a file, archive, or directory.
You can add options when you run a scan from the command line.
To do this, enter
avscanner PATH \[OPTION\].
\[OPTION\]is one of the command-line options shown in the following table.
| ||Print this help message|
| ||Scan inside archives|
| ||Follow symlinks when scanning|
| ||Exclude these locations from being scanned|
| ||Write to log file|
| ||Set the log level. |
This sets the log level for avscanner only. It doesn't change the log level for the other Sophos Protection for Linux components.
You can use wildcards. If you use wildcards, you need to know the following:
- The shell expands wildcards before
avscannersees the options.
- If you use escaped or quoted wildcards,
avscanneruses them. They work in the same way as wildcards do for scheduled scan exclusions. See Linux scanning exclusions.
If you try to run an on-demand scan while one is already running, a refusal to scan message appears in the log file. You can find this in
/opt/sophos-sspl/plugins/av/log/av.log. See “Log files”.
Here are some example commands.
| ||Scan the root directory (recursively including dot files or directories) including the contents of any archive files.|
| ||Scan the root directory and follow any symlinks.|
| ||Scan the |
| ||Scan the |
| ||Scan the file |
| ||Scan the root directory with log level set to info.|
You can find the log files in
To change the log level, do as follows:
/opt/sophos-spl/base/etc/logger.confand set the level.
- Restart the plugin by entering
systemctl restart sophos-spl.
You can also override the log level on the command line when you run a scan.