Troubleshooting Sophos Protection for Linux

Linux device can't connect to Sophos Central using a proxy.

The recommended method for configuring a proxy is to do it in Sophos Central. See Proxy configuration. However, if your Linux device can't communicate with Sophos Central, it can't receive the proxy settings, and you must manually configure them as follows:

1. Create a new file. The location and filename will depend on the version of Linux on your device.

   • For Debian-based Linux, create /etc/default/sophos-spl.
   • For RHEL, CentOS, and Amazon Linux, create /etc/sysconfig/sophos-spl.

2. Add the following line to the file, replacing <PROXY_ADDRESS> with the IP address of the proxy and <PROXY_PORT> with the port to use:

   http_proxy=https://<PROXY_ADDRESS>:<PROXY_PORT>
   

3. Run the following command to restart SPL:

   systemctl restart sophos-spl
   

4. Check /opt/sophos-spl/logs/base/sophosspl/management.log to verify the proxy settings.

Here's an example showing SPL successfully connecting using 192.168.100.101:2222 as the proxy:

105     [2026-01-22T11:06:12.294]    INFO [8171675200] McsConnection <> Evaluating connection methods
105     [2026-01-22T11:06:12.294]    INFO [8171675200] McsConnection <> There are no Message Relays to try
105     [2026-01-22T11:06:12.294]    INFO [8171675200] McsConnection <> There are no Proxies to try
106     [2026-01-22T11:06:12.295]    INFO [8171675200] McsConnection <> Trying via environment proxy: http://192.168.100.101:2222
106     [2026-01-22T11:06:12.295]    INFO [8274214976] management <> Completed initialization of Managementd
276     [2026-01-22T11:06:12.465]    INFO [8196853312] Broker <> Broker established registered connection with watchdog_receiver
322     [2026-01-22T11:06:12.511]    INFO [8196853312] Broker <> Broker established registered connection with sdu_receiver
434     [2026-01-22T11:06:12.623]    INFO [8196853312] Broker <> Broker established registered connection with tscheduler_receiver
925     [2026-01-22T11:06:13.114]    INFO [8196853312] Broker <> Broker established registered connection with responseactions_receiver
946     [2026-01-22T11:06:13.136]    INFO [8196853312] Broker <> Broker established registered connection with responseactions_sender_0
986     [2026-01-22T11:06:13.175]    INFO [8196853312] Broker <> Broker established registered connection with updatescheduler_receiver
1013    [2026-01-22T11:06:13.202]    INFO [8171675200] McsConnection <> Successful connection via environment proxy: http://192.168.100.101:2222
1013    [2026-01-22T11:06:13.202]    INFO [8171675200] McsConnection <> Connection method: Proxy (http://192.168.100.101:2222)
1014    [2026-01-22T11:06:13.203]    INFO [8171675200] PushConnectionTask <> Push client is enabled

Real-time scanning isn't working.

In Sophos Central, check the following settings in your server's Threat Protection policy:

• Make sure Real-time scanning - Local files and network shares is turned on.
• Make sure Enable scan for Server Protection for Linux Agent is turned on.

On your Linux device, check the following items:

• The value for onRead and onWrite in /opt/sophos-spl/base/mcs/policy/CORC_policy.xml is true.
• The value for onOpen and onClose in /opt/sophos-spl/plugins/av/var/on_access_policy.json is true.

• Check /opt/sophos-spl/plugins/av/log/soapd.log. If either of the following lines appears, then the associated scan is turned off:

  • soapd_bootstrap <> Scanning on-open disabled
  • soapd_bootstrap <> Scanning on-close disabled

av.log shows "av <> Quarantine failed for threat:"

SPL has detected a threat but failed to quarantine the file. Check /opt/sophos-spl/plugins/av/log/safestore.log for the detection. If you see the following message, it means SPL can't quarantine the file:

safestore <> File at location: [PATH_TO_DETECTION] is immutable. Will not quarantine.

Immutable files have a flag set that indicates the file can't be changed, moved, deleted, or overwritten, not even by the root user.

The process associated with a real-time threat detection is still running.

Make sure End malicious processes associated with a real-time threat detection is turned on in your threat protection policy. Do as follows:

1. Sign in to Sophos Central.
2. Go to My Products > Server > Policies.
3. Select your threat protection policy.
4. Click Settings.
5. Under Real-time scanning - Local files and network shares, make sure End malicious processes associated with a real-time threat detection is selected.
6. Click Save.

Timed out gathering optional metadata, some optional metadata won't be available

When a real-time scanning detection happens in a cloud environment, the SPL Agent tries to gather additional data from the instance's local metadata service. If the SPL Agent can't gather the data within the timeout period, the request times out, and SPL logs the event and generates an alert without the optional metadata fields.

Runtime detections aren't working

Go to My Products > Server > Policies and do as follows:

• Check your Linux device's Threat Protection policy and make sure Linux runtime detections is turned on. See Runtime Protection.
• Check your Linux device's Linux Runtime Detection policy and make sure Enable Linux Runtime Detection is turned on.

Go to My Products > Cloud Native Security > Profiles* and check the following:

• Make sure the Linux runtime detection profile from your Linux Runtime Detection policy contains a rule for the missed detection. See Advanced Linux Runtime Detection Profile configuration.
• Make sure the rule in your Linux runtime detection profile is enabled. See Rule details.

The Content Version in Sophos Central has a different build number than the rtd_content_version shown on a Linux device.

The Content Version may still be up to date, even if the build number is different. See Content Version.

runtimedetections <> Error adding policies

The runtime detections plugin encountered an issue with a policy or group of policies. In this case, the RTD plugin is still running, and all other rules are active, but Sophos Central shows a red health status to alert you to the issue so you can investigate.

You may also see runtimedetections <> Error initializing "<POLICY_NAME>": no valid symbol found in /opt/sophos-spl/plugins/runtimedetections/log/runtimedetections.log. This line tells you which policy caused the issue so you can investigate.

The systemctl status sophos-spl command returns /opt/sophos-spl/plugins/av/sbin/sophos_threat_detector_launcher died with 64.

SPL also shows a red health status in Sophos Central with the message "Not started: Sophos Linux AntiVirus".

SPL is installed on a Linux distribution or kernel that doesn't support ambient capabilities. See the system requirements in the Sophos Protection for Linux release notes.

av.log shows "av <> Health encountered an error resolving pid for ThreatDetector."

SPL also shows a red health status in Sophos Central with the message "Not started: Sophos Linux AntiVirus".

SPL doesn't support running with hidepid=1 or hidepid=2 on Ubuntu 20.04 and Ubuntu 22.04. You must edit /etc/vfstab and remove the hidepid option from the mount line.

Safestore fails to restore a file

Debug logging shows "Common <> Could not convert from: UTF-8"

Threat detections on files with non-UTF-8 paths are sent to Central as UTF-8 encoded alerts. If you restore one of these files using the Path option, it fails because the UTF-8 encoded path doesn't exist in the database. You must restore the file using the SHA-256 option.

av <> File at location: <FILEPATH> is located on a Network mount: <MOUNTPATH>. Will not quarantine.

This is expected behavior. We won't quarantine a file on a remote mount. This log entry is also expected for the scan result.

safestore <> File at location: <PATH_TO_DETECTION> is immutable. Will not quarantine.

SPL has detected a threat but failed to quarantine the file. SPL can't quarantine immutable files. They have a flag set that indicates the file can't be changed, moved, deleted, or overwritten, not even by the root user.

safestore <> Cannot quarantine <PATH_TO_DETECTION> as it can't be verified to be the threat

This indicates that the file that triggered the detection is located in a PrivateTmp namespace but a file with the same name and path also existed in the root namespace.

safestore <> Cannot quarantine <PATH_TO_DETECTION> as it does not exist

Safestore records this message in the following scenarios:

• The file that triggered the detection is located in a PrivateTmp namespace and a file with the same name doesn't exist in the root namespace.
• The file that triggered the detection has been moved or deleted before Safestore could quarantine it.

How can I access an isolated Linux device?

We recommend turning on Allow Live Response connections to servers. This lets you use Live Response to connect to any supported server on your network. See Turn on Live Response for servers. Sophos Central Super Admins or roles that include "Start Live Response sessions on servers" can start Live Response sessions with isolated Linux devices.

If you need access to an isolated Linux device from outside of Sophos Central, you must use exclusions to allow the services needed to access the device. See Device isolation exclusions.