Skip to content

Sophos Protection for Linux

You can run a scan using Sophos Protection for Linux from the command line.

Sophos Protection for Linux has an agent called Server Protection, which you can use to run on-demand scans on your Linux devices. See Server Protection agent.

You can also schedule a scan from Sophos Central.

How to manage Sophos Protection for Linux

You manage Sophos Protection for Linux in Sophos Central. You can do the following:

The Sophos Protection for Linux installation directory ($INST) is /opt/sophos-spl.

Events are logged in /opt/sophos-spl/plugins/av/log/av.log before being sent to Sophos Protection for Linux.

Server Protection agent

The Server Protection version number shown in Sophos Central under Installed component versions for a Linux device should match that reported on the device in /opt/sophos-spl/plugins/av/VERSION.ini.

Server Protection is an antivirus scanner (avscanner). Server Protection doesn't support detecting and removing Potentially Unwanted Applications (PUAs).

The Server Protection installation directory ($PLUGIN_INST) is $INST/plugins/av.

Before you start using Server Protection, you need to check that /usr/local/bin/ is in your path.

avscanner is a full file scanner and you can find it in /opt/sophos-spl/plugins/av/bin/avscanner.

You can scan a file, archive, or directory.

You can add options when you run a scan from the command line.

  • To do this, enter avscanner PATH \[OPTION\].

    \[OPTION\] is one of the command-line options shown in the following table.

Example commands

Command-line option Description



Print this help message



Scan inside archives



Follow symlinks when scanning


--exclude EXCLUSION...

Exclude these locations from being scanned


--output OUTPUT...

Write to log file


--log-level LOGLEVEL...

Set the log level.

This sets the log level for avscanner only. It doesn't change the log level for the other Sophos Protection for Linux components.

You can use wildcards. If you use wildcards, you need to know the following:

  • The shell expands wildcards before avscanner sees the options.
  • If you use escaped or quoted wildcards, avscanner uses them. They work in the same way as wildcards do for scheduled scan exclusions. See Linux scanning exclusions.

If you try to run an on-demand scan while one is already running, a refusal to scan message appears in the log file. You can find this in /opt/sophos-sspl/plugins/av/log/av.log. See “Log files”.

Example commands

Here are some example commands.

Command Description
avscanner / --scan-archives Scan the root directory (recursively including dot files or directories) including the contents of any archive files.
avscanner / --follow-symlinks Scan the root directory and follow any symlinks.
avscanner /usr --exclude /usr/local/ Scan the /usr directory excluding /usr/local.
avscanner folder --exclude '\*.log' Scan the folder directory but exclude any filenames with a .log file extension.
avscanner foo.exe -o scan.log Scan the file foo.exe and redirect the output to a log file called scan.log.
avscanner / --log-level info Scan the root directory with log level set to info.

Log files

You can find the log files in /opt/sophos-sspl/plugins/av/log/.

To change the log level, do as follows:

  1. Edit /opt/sophos-spl/base/etc/logger.conf and set the level.
  2. Restart the plugin by entering systemctl restart sophos-spl.

You can also override the log level on the command line when you run a scan.

Back to top