Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/esg/spl/en-us/index.html?contextId=protect-devices-server-Linux-agent-on-access

Real-time scanning

The Sophos Protection for Linux (SPL) Agent can scan files on Linux devices in real time as they're accessed and updated.

We recommend you turn on Enable scan for Server Protection for Linux Agent to ensure your Linux devices are fully protected. We also recommend you turn on End malicious processes associated with a real-time detection to allow SPL to end malicious processes immediately upon detection of an event to prevent further malicious activity from taking place.

You can configure real-time scanning in the server threat protection policies in Sophos Central. See Server Threat Protection policy.

Configuration options

Real-time scanning is optimized to minimize the impact on server performance and applications. By default, it is turned off to allow you to assess the impact in your environment before turning it on.

Real-time scanning options for Linux devices allow for configuration based on server workloads. The following details outline the available configurations in the Threat Protection Policy for real-time scanning and how Sophos Central applies them through the SPL Agent:

  • Scan: This is turned on by default. This configuration applies to Windows and Linux platforms that are part of a policy. You can select from the following options:

    • local: This limits scanning to files on local drives.
    • local and remote: The default setting. SPL scans local and mapped network drives. Detections on mapped drives aren't quarantined.

    You can also turn on and off the following settings:

    • on read: This scans files when you open them.
    • on write: This scans files when you save them.

  • Enable scan for Server Protection for Linux Agent: Turning this on allows SPL to perform real-time scanning on Linux devices. This setting is turned off by default. We recommend that you turn it on to ensure the best protection for your environment.

    • End malicious processes associated with a real-time detection: This is turned on by default. This only applies when you turn on Enable scan for Server Protection for Linux Agent. The SPL Agent will attempt to end malicious processes that a malicious file associated with a real-time scanning detection may have launched.

End processes

By default, the SPL agent attempts to end malicious processes launched by a malicious file. It's important that SPL has the ability to end processes to prevent them from achieving persistence, downloading additional attack components, escalating privileges, moving laterally, and exfiltrating, encrypting, or corrupting critical data.

When SPL ends a process, it records the details in /opt/sophos-spl/plugins/av/log/safestore.log.

Example

Terminated process /bin/bash PID 8079

Sometimes SPL fails to end a process. It could be that SPL can't end the process or that the process has already ended and is no longer running when SPL tries to end it. SPL also records these details in /opt/sophos-spl/plugins/av/log/safestore.log.

Example

No process found to terminate for /bin/bash PID 2487
Failed to terminate process: /bin/bash PID 2487: <error>