Server Protection agent

Sophos Protection for Linux has an agent called Server Protection, which you can use to run on-demand scans on your Linux devices. Server Protection is an antivirus scanner (avscanner).

The Server Protection installation directory is /opt/sophos-spl/plugins/av.

Before you start using Server Protection, you need to check that /usr/local/bin/ is in your path.

avscanner is a full file scanner and you can find it in /opt/sophos-spl/plugins/av/bin/avscanner.

You can scan a file, archive, or directory.

You can run multiple scans at the same time using multiple terminals.

Command-line options

You can add options when you run a scan from the command line.

To do this, enter avscanner PATH OPTION.

The avscanner command supports the following command-line options:

Help

Print the avscanner help.

• -h
• --help

Scan archives

Scan inside archives.

• -a
• --scan-archives

Disk images

Scan inside disk images.

• -i
• --scan-images

Detect PUAs

Set avscanner to detect Potentially Unwanted Applications (PUAs) during a scan. Disabled by default.

• -p
• --detect-puas

Exclude PUAs

Exclude specific PUA detections from being reported.

• --exclude-puas <THREAT>

Trailing argument

Comma-separated list of the PUA detections you want to exclude.

Symbolic links

Follow symbolic links when scanning.

• -s
• --follow-symlinks

Exclude

Exclude locations from being scanned.

• -x
• --exclude <EXCLUSION>

Trailing argument

Path to the location you want to exclude. Exclusions use the same syntax as Sophos Central exclusions. See Scanning exclusions.

Output

Send the output to a log file.

• -o
• --output <OUTPUT>

Trailing argument

Path to the file you want to write the output to.

Log level

Set the log level. This sets the log level for avscanner only. It doesn't change the log level for the other Sophos Protection for Linux components.

• -l
• --log-level <LOGLEVEL>

Trailing argument

The logging level you want to set.

Available options are: DEBUG, SUPPORT, INFO, WARN, or ERROR.

Wildcards

You can use wildcards. If you use wildcards, you need to know the following:

• The shell expands wildcards before avscanner sees the options.
• If you use escaped or quoted wildcards, avscanner uses them. They work in the same way as wildcards do for scheduled scan exclusions. See Linux scanning exclusions.

If you try to run an on-demand scan while one is already running, a refusal to scan message appears in the log file. You can find this in /opt/sophos-sspl/plugins/av/log/av.log. See “Log files”.

Example commands

Scan the root directory (recursively including dot files or directories) including the contents of any archive files:

avscanner / --scan-archives

Scan the root directory and follow any symlinks:

avscanner / --follow-symlinks

Scan the /usr directory excluding /usr/local:

avscanner /usr --exclude /usr/local/

Scan the folder directory but exclude any filenames with a .log file extension:

avscanner folder --exclude '\*.log'

Scan the file foo.exe and redirect the output to a log file called scan.log:

avscanner foo.exe -o scan.log

Scan the root directory with log level set to info:

avscanner / --log-level info

On-demand scan return codes

avscanner returns a code to the shell that indicates the result of a scan. You can see the code by entering a command after the scan has finished.

This table lists common avscanner return codes. There are other return codes that may be shown, which are used for additional troubleshooting by Sophos Support.