Troubleshooting Sophos Protection for Linux

./SophosSetup.sh: Permission denied

You must add the execute permission to SophosSetup.sh. Run the following command:

chmod +x SophosSetup.sh

Please run this installer as root

You must run SophosSetup.sh with root privileges. Use the sudo command or switch to the root user.

Found an existing installation of SAV in /opt/sophos-av/. This product cannot be run alongside Sophos Anti-Virus

You must run SophosSetup.sh with the --uninstall-sav flag to remove Sophos Anti-Virus for Linux during the SPL installation.

SPL installation will fail, can not install to '<path>'.

The installation will fail if you reference a symlink. You must re-run the installer with the --install-dir command and use the path to the directory where the symlink points.

Cannot connect to Sophos Central - please check your network connections

Your Linux machine must be able to connect to the internet and traffic to all Sophos Central domains must be allowed before you can install SPL. See Domains and ports to allow.

SPL installation will fail as a connection to Sophos Central could not be established

Sophos pre-installation checks will fail if curl isn't installed on the Linux device. Install curl and try again. You may also see the following messages:

• SPL installation will fail as a connection to the SUS server could not be established
• SPL installation will fail as a connection to a CDN server could not be established

Failed to connect to repository: error:

Your Linux devices are assigned to a software package that's been retired. Change your Update Management policy and assign your Linux devices to a current software package. See Server Update Management Policy.

Components not running or failing to install.

If a product is missing, make sure you have the correct license for the missing product.

If the product is installed but not running, check the logs for the relevant components. To do this, do as follows:

• Check the log for the affected component at /opt/sophos-spl/plugins/<plugin name>/log.
• Check the installation log for the relevant component at /opt/sophos-spl/logs/installation/<component>_install.log.
• Check the watchdog log to see whether a component failed to start at /opt/sophos-spl/logs/base/watchdog.log.

Real-time scanning isn't working.

In Sophos Central, check the following settings in your server's Threat Protection policy:

• Make sure Real-time scanning - Local files and network shares is turned on.
• Make sure Enable scan for Server Protection for Linux Agent is turned on.

On your Linux device, check the following items:

• The value for onRead and onWrite in /opt/sophos-spl/base/mcs/policy/CORC_policy.xml is true.
• The value for onOpen and onClose in /opt/sophos-spl/plugins/av/var/on_access_policy.json is true.

• Check /opt/sophos-spl/plugins/av/log/soapd.log. If either of the following lines appears, then the associated scan is turned off:

  • soapd_bootstrap <> Scanning on-open disabled
  • soapd_bootstrap <> Scanning on-close disabled

av.log shows "av <> Quarantine failed for threat:"

SPL has detected a threat but failed to quarantine the file. Check /opt/sophos-spl/plugins/av/log/safestore.log for the detection. If you see the following message, it means SPL can't quarantine the file:

safestore <> File at location: [PATH_TO_DETECTION] is immutable. Will not quarantine.

Immutable files have a flag set that indicates the file can't be changed, moved, deleted, or overwritten, not even by the root user.

Runtime detections aren't working

Go to My Products > Server > Policies and do as follows:

• Check your Linux device's Threat Protection policy and make sure Linux runtime detections is turned on. See Runtime Protection.
• Check your Linux device's Linux Runtime Detection policy and make sure Enable Linux Runtime Detection is turned on.

Go to My Products > Cloud Native Security > Profiles* and check the following:

• Make sure the Linux runtime detection profile from your Linux Runtime Detection policy contains a rule for the missed detection. See Advanced Linux Runtime Detection Profile configuration.
• Make sure the rule in your Linux runtime detection profile is enabled. See Rule details.

The Content Version in Sophos Central has a different build number than the rtd_content_version shown on a Linux device.

The Content Version may still be up to date, even if the build number is different. See Content Version.

The systemctl status sophos-spl command returns /opt/sophos-spl/plugins/av/sbin/sophos_threat_detector_launcher died with 64.

SPL also shows a red health status in Sophos Central with the message "Not started: Sophos Linux AntiVirus".

SPL is installed on a Linux distribution or kernel that doesn't support ambient capabilities. See the system requirements in the Sophos Protection for Linux release notes.

av.log shows "av <> Health encountered an error resolving pid for ThreatDetector."

SPL also shows a red health status in Sophos Central with the message "Not started: Sophos Linux AntiVirus".

SPL doesn't support running with hidepid=1 or hidepid=2 on Ubuntu 20.04 and Ubuntu 22.04. You must edit /etc/vfstab and remove the hidepid option from the mount line.

How can I access an isolated Linux device?

We recommend turning on Allow Live Response connections to servers. This lets you use Live Response to connect to any supported server on your network. See Turn on Live Response for servers. Sophos Central Super Admins or roles that include "Start Live Response sessions on servers" can start Live Response sessions with isolated Linux devices.

If you need access to an isolated Linux device from outside of Sophos Central, you must use exclusions to allow the services needed to access the device. See Device isolation exclusions.