Troubleshooting Sophos Protection for Linux

Real-time scanning isn't working.

In Sophos Central, check the following settings in your server's Threat Protection policy:

• Make sure Real-time scanning - Local files and network shares is turned on.
• Make sure Enable scan for Server Protection for Linux Agent is turned on.

On your Linux device, check the following items:

• The value for onRead and onWrite in /opt/sophos-spl/base/mcs/policy/CORC_policy.xml is true.
• The value for onOpen and onClose in /opt/sophos-spl/plugins/av/var/on_access_policy.json is true.

• Check /opt/sophos-spl/plugins/av/log/soapd.log. If either of the following lines appears, then the associated scan is turned off:

  • soapd_bootstrap <> Scanning on-open disabled
  • soapd_bootstrap <> Scanning on-close disabled

av.log shows "av <> Quarantine failed for threat:"

SPL has detected a threat but failed to quarantine the file. Check /opt/sophos-spl/plugins/av/log/safestore.log for the detection. If you see the following message, it means SPL can't quarantine the file:

safestore <> File at location: [PATH_TO_DETECTION] is immutable. Will not quarantine.

Immutable files have a flag set that indicates the file can't be changed, moved, deleted, or overwritten, not even by the root user.

The process associated with a real-time threat detection is still running.

Make sure End malicious processes associated with a real-time threat detection is turned on in your threat protection policy. Do as follows:

1. Sign in to Sophos Central.
2. Go to My Products > Server > Policies.
3. Select your threat protection policy.
4. Click Settings.
5. Under Real-time scanning - Local files and network shares, make sure End malicious processes associated with a real-time threat detection is selected.
6. Click Save.

Timed out gathering optional metadata, some optional metadata won't be available

When a real-time scanning detection happens in a cloud environment, the SPL Agent tries to gather additional data from the instance's local metadata service. If the SPL Agent can't gather the data within the timeout period, the request times out, and SPL logs the event and generates an alert without the optional metadata fields.

Runtime detections aren't working

Go to My Products > Server > Policies and do as follows:

• Check your Linux device's Threat Protection policy and make sure Linux runtime detections is turned on. See Runtime Protection.
• Check your Linux device's Linux Runtime Detection policy and make sure Enable Linux Runtime Detection is turned on.

Go to My Products > Cloud Native Security > Profiles* and check the following:

• Make sure the Linux runtime detection profile from your Linux Runtime Detection policy contains a rule for the missed detection. See Advanced Linux Runtime Detection Profile configuration.
• Make sure the rule in your Linux runtime detection profile is enabled. See Rule details.

The Content Version in Sophos Central has a different build number than the rtd_content_version shown on a Linux device.

The Content Version may still be up to date, even if the build number is different. See Content Version.

runtimedetections <> Error adding policies

The runtime detections plugin encountered an issue with a policy or group of policies. In this case, the RTD plugin is still running, and all other rules are active, but Sophos Central shows a red health status to alert you to the issue so you can investigate.

You may also see runtimedetections <> Error initializing "<POLICY_NAME>": no valid symbol found in /opt/sophos-spl/plugins/runtimedetections/log/runtimedetections.log. This line tells you which policy caused the issue so you can investigate.

The systemctl status sophos-spl command returns /opt/sophos-spl/plugins/av/sbin/sophos_threat_detector_launcher died with 64.

SPL also shows a red health status in Sophos Central with the message "Not started: Sophos Linux AntiVirus".

SPL is installed on a Linux distribution or kernel that doesn't support ambient capabilities. See the system requirements in the Sophos Protection for Linux release notes.

av.log shows "av <> Health encountered an error resolving pid for ThreatDetector."

SPL also shows a red health status in Sophos Central with the message "Not started: Sophos Linux AntiVirus".

SPL doesn't support running with hidepid=1 or hidepid=2 on Ubuntu 20.04 and Ubuntu 22.04. You must edit /etc/vfstab and remove the hidepid option from the mount line.

Safestore fails to restore a file

Debug logging shows "Common <> Could not convert from: UTF-8"

Threat detections on files with non-UTF-8 paths are sent to Central as UTF-8 encoded alerts. If you restore one of these files using the Path option, it fails because the UTF-8 encoded path doesn't exist in the database. You must restore the file using the SHA-256 option.

av <> File at location: <FILEPATH> is located on a Network mount: <MOUNTPATH>. Will not quarantine.

This is expected behavior. We won't quarantine a file on a remote mount. This log entry is also expected for the scan result.

safestore <> File at location: <PATH_TO_DETECTION> is immutable. Will not quarantine.

SPL has detected a threat but failed to quarantine the file. SPL can't quarantine immutable files. They have a flag set that indicates the file can't be changed, moved, deleted, or overwritten, not even by the root user.

safestore <> Cannot quarantine <PATH_TO_DETECTION> as it can't be verified to be the threat

This indicates that the file that triggered the detection is located in a PrivateTmp namespace but a file with the same name and path also existed in the root namespace.

safestore <> Cannot quarantine <PATH_TO_DETECTION> as it does not exist

Safestore records this message in the following scenarios:

• The file that triggered the detection is located in a PrivateTmp namespace and a file with the same name doesn't exist in the root namespace.
• The file that triggered the detection has been moved or deleted before Safestore could quarantine it.

How can I access an isolated Linux device?

We recommend turning on Allow Live Response connections to servers. This lets you use Live Response to connect to any supported server on your network. See Turn on Live Response for servers. Sophos Central Super Admins or roles that include "Start Live Response sessions on servers" can start Live Response sessions with isolated Linux devices.

If you need access to an isolated Linux device from outside of Sophos Central, you must use exclusions to allow the services needed to access the device. See Device isolation exclusions.