Skip to content

Installer command-line options for Linux

Before you can install Sophos Protection for Linux, you must download from Sophos Central and make the file executable. See Download and run the Linux Server installer.

Linux command line options

Some options may not be available for all customers yet.

The Server Protection for Linux installer supports the following command-line options.


Shows the help text.



Shows the version of



Forces the installation even if the installer detected that Sophos products are already installed on the device. You can use this command to attempt to fix a broken installation.


Disable auditd

Turns off auditd on the device so that Sophos Protection for Linux can subscribe to the audit netlink and provide historic event data for Live Discover. This is set by default.


Do not disable auditd

Turns auditd on or leaves it on if it's already on. If you use this option it reduces the data that you can query, as it won't contain historic event data.


Debug thin installer

Run in debug mode for troubleshooting.


Trailing arguments

1 is on and 0 is off.

To collect the output in a log file, you must redirect the output to a file.


Adds the device to a specific group in Sophos Central. You can also use this option to add the device to a subgroup.

  • --group=<Central group>
  • --group=<Central group>\\<Central subgroup>

Trailing arguments

The group or subgroup to join. If it doesn't exist, it is created.


Specifies a list of products to install. If you specify a product that you don't have a license for, then it isn't installed.

--products=<comma-separated list of products>

Trailing arguments

List of products to install, separated by commas.

Available options are: antivirus, mdr, and xdr.


Sets a different temporary directory for the installer to use during the installation process. You can use this while running when /tmp on a device isn't mounted as executable.

TMPDIR=<path to directory>

Trailing arguments

Path to the directory you want the installer to use.

Uninstall Sophos Anti-Virus for Linux

Stops the SAV service and uninstalls Sophos Anti-Virus for Linux. You can use this before installing Sophos Protection for Linux.

Sophos Protection for Linux installation isn't compatible with Sophos Anti-Virus for Linux. You must uninstall Sophos Anti-Virus for Linux before you install Sophos Protection for Linux.


Linux examples

Uninstall Sophos Anti-Virus for Linux and install Sophos Protection for Linux:

sudo ./ --uninstall-sav

Install into a subgroup:

sudo ./ --group=LinuxServers\\MailServers

Turn debug mode on, launch the installer using the verbose shell option, combine stderr and stdout into the stdout stream, and write the output to install.log.

sudo export DEBUG_THIN_INSTALLER=1; bash -x ./ 2>&1 | tee install.log

Sophos Protection for Linux and auditd

  • By default, we turn off auditd. This means that you can query historic event data in Live Discover. You can turn on auditd using --do-not-disable-auditd.
  • Turning off auditd also affects whether the systemd journal receives audit events. If you turn off auditd, you won't receive audit events in your systemd journal logs. You normally access these logs using the journalctl command.
  • Uninstalling Sophos Protection for Linux doesn't change your auditd setting. If you've turned off auditd, it remains turned off.
  • Re-registering the product won't change the auditd settings.