- 1 Product Description
- 1.1 Known Versions
- 2 Software Pattern Summary
- 3 Platforms Supported by the Pattern
- 4 Identification
- 5 Versioning
- 5.1 File Parsing
- 5.2 Package Versioning
- 5.3 Future Considerations
- 6 Application Model Produced by Software Pattern
- 6.1 Product Architecture
- 6.2 Software Pattern Model
- 6.2.1 Build
- 6.2.2 Relationship Creation
- 7 Subject Matter Expertise
- 8 Testing
- 9 Information Sources
- 10 Open Issues
- Discover with BMC ADDM
-
This product can be discovered by any edition of BMC Atrium Discovery and Dependency Mapping. Download our free Community Edition to try it out, or see what else it can discover!
- What is this?
- This is a product information page, containing details of the information that BMC Atrium Discovery gathers about a product and how it is obtained.
- Product Name
- Anti-Virus
- Publisher Page
- Category
- Release
- TKU 2010-Apr-1
- Change History
- Reports & Attributes
- Publisher Link
- Sophos
Product Description
Sophos Anti-Virus is software that detects and deals with threats (see http://www.sophos.com/security/): viruses, worms, Trojans, spyware, suspicious files, suspicious behavior, adware, PUAs (potentially unwanted applications), and rootkits, applications that are controlled as part of your company policy, devices that are blocked as part of your company policy
on your computer or network.
In particular, it can:
- scan your computer or network for threats, and controlled applications
- check if each file you access is a threat or controlled application
- check if each web page you view contains a threat (applies only to Internet Explorer version 6 or later)
- alert you when it finds a threat, controlled application, or blocked device
- clean up infected items
- stop suspicious behavior
- prevent adware and PUAs from running on your computer
- clean adware and PUAs from your computer
- keep a log of its activity
- be updated to detect the latest threats.
Sophos Anti-Virus is available on Microsoft Windows as well as a number of Unix platforms.
Sophos Anti-Virus is also included as part of Endpoint Security and Control suite of products.
Known Versions
- 1.0
- 4.35
- 4.7
- 6.4
- 7.0
- 7.6
Software Pattern Summary
| Product Component | OS Type | Versioning | Pattern Depth |
|---|---|---|---|
| AntiVirusWindows | Windows | File, Package | Instance-based |
| AntiVirusUnix | Unix/Linux | File - may require Active command execution | Instance-based |
Platforms Supported by the Pattern
Patterns in this module support Windows, and Unix/Linux platforms
Identification
Software Instance Triggers
| Pattern | Trigger Node | Attribute | Condition | Argument |
|---|---|---|---|---|
| AntiVirusWindows | DiscoveredProcess | cmd | matches | regex '(?i)\bSavService\.exe$' |
| AntiVirusLinux | DiscoveredProcess | cmd | matches | regex '\bsavd$' |
Simple Identification Mappings
The following components/processes are identified using the combination of pattern definitions and simple identity mappings which map known processes of this product
| Name | Command |
|---|---|
| Sophos AutoUpdate service | regex '(?i)\bALsvc\.exe$' |
| Sophos Anti-Virus Monitor service | regex '(?i)\bALMon\.exe$' |
| Sophos Anti-Virus process | regex '(?i)\bSavService\.exe$' |
| Sophos Anti-Virus administrating service | regex '(?i)\bSAVAdminService\.exe$' |
| Graphical interface to Sophos Anti-Virus | regex '(?i)\bSavMain\.exe$' |
| Sophos Anti-Virus scheduled scans service | regex '(?i)\bBackgroundScanClient\.exe$' |
| Sophos Anti-Virus network connecting and downloading service | regex '(?i)\bALUpdate\.exe$' |
| Main Sophos Anti-Virus daemon process | regex '\bsavd$' |
| Sophos Anti-Virus GUI daemon process | regex '\bsavwebd$' |
| Sophos Anti-Virus scaning process | regex '\bsavscan$' |
Versioning
Version information may be obtained either through parsing of a configuration file (following a registry query) or using package query on Windows and parsing 'version' file on Unix/Linux systems.
File Parsing
Windows
Sophos Anti-Virus has a configuration file, factory.xml which amongst other data holds the product version information.
We can determine its location by extracting configuration path from the following registry key:
'HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\Application\BOPSConfig'.
If the path is obtained, the file is retrieved and XPath TPL function is used to extract the product version (major, minor and build). Otherwise, we use package information to populate version.
Unix
On Unix systems a 'version' file exists as part of an installation and it is located in 'engine' directory. By default, Sophos Anti-Virus software is installed into '/opt/sophos-av' directory, but if it's not there, the pattern makes use of the 'locate' command on Linux/BSD systems to find the installation directory location and retrieve the file.
If 'locate' command is used, the command used is:
/usr/bin/locate sophos-av/engine/versionThe output of the 'locate' command is parsed using the following regular expression:
((?:/\S+)+/sophos-av/engine/version)
If the file is retrieved, the content is parsed using the following regular expression:
(\d+\.\d+(?:\.\d+))*
Package Versioning
If the pattern is unable to extract the version information from a configuration file, on Windows hosts the pattern can query the package management system to obtain the product version from the package, named 'Sophos Anti-Virus'.
The regular expression used to match the package name is:
'^(?i)Sophos\s(\S+\s)?Anti-Virus'
Future Considerations
We cannot be certain of obtaining the product version on other Unix platforms, e.g. Solaris.
Application Model Produced by Software Pattern
Product Architecture
Sophos Anti-Virus software is based on several processes/daemons, which are independent from each other and not creating children processes, but, nevertheless are of importance.
Windows system:
SavService.exe
This is the main Sophos Anti-Virus service that interfaces with the drivers and the user interface. SavService.exe performs virus scanning and disinfection functions.
SAVAdminService.exe
This service provides information about anti-virus protection to Windows Control Center.
SavMain.exe
This is the graphical interface to Sophos Anti-Virus, through which the application is configured and controlled locally.
ALsvc.exe
This is the AutoUpdate service, run as 'System User'.
When the service first starts up it performs an update check to the CID.ALSvc.exe runs a scheduler that triggers scheduled updates. It provides an interface that allows an update to be started.
ALUpdate.exe
ALUpdate.exe is the file responsible for connecting to the network and downloading files.
At the start of an update, the Sophos AutoUpdate Service copies ALUpdate.exe and the required dlls and certificates from the above location to: %windir%\temp\sophos_autoupdate1.dir\ALUpdate.exe.
This allows AutoUpdate to perform an update to itself, if required
ALMon.exe
This process presents the shield icon in the system tray.
ALMon.exe is a DCOM server ("dcomcnfg" - "DCOM Config" - "iMonitor"), which allows Sophos Anti-Virus to display virus alerts to the user desktop.
Unix system:
savd
Main Sophos Anti-Virus daemon process.
savwebd
Sophos Anti-Virus GUI daemon process. Activates GUI, which helps to configure Sophos software on Unix systems.
savscan
Sophos Anti-Virus scaning process. Initiated by user or by the scheduled procedure.
Software Pattern Model
Windows:
This pattern triggers on a process SavService.exe, the main one for the anti virus service.
Since only one installation of this software is assumed to be running on the host, a simple SI key containing the 'type' and 'host key' attributes is used on creation of the Software Instance.
Unix/Linux systems:
This pattern triggers on a process savd, the main anti virus daemon process. Since only one installation of this software is assumed to be running on the host, a simple SI key containing the 'type' and 'host key' attributes is used on creation of the Software Instance.
Build
Build number is currently obtained on Windows machines from configuration file, using xpath.evaluate() function.
On Unix the pattern extracts the build number from full_version variable with help of the following regex:
regex '^\d+\.\d+\.(\d+)'
Relationship Creation
Patterns create associating relations between the trigger process and all other Sophos Anti-Virus processes since they are all logically part of the same software instance
Subject Matter Expertise
Subject Matter Expert input will be welcome on any other potential approaches not discussed to improving product versioning coverage and depth of Sophos Sophos Anti-Virus.
Testing
Testing to ensure the processes related to Sophos Anti-Virus have been correctly identified and that the product can be versioned have been run using live discovery against hosts running Red Hat Enterprise Linux Server release 5.1 and on Windows 2003 server operating systems.
Information Sources
http://www.sophos.com/support/knowledgebase/article/36207.html
http://www.sophos.com/support/knowledgebase/article/36262.html#SigAccts
http://www.net-security.org/review.php?id=10
Open Issues
There are no known open issues with this pattern.
| TOP |
|---|
Created by: Olexandr Kashkevich 12 Nov 2008
Updated by: Olexandr Kashkevich 13 Apr 2010
Reviewed by: Nikola Vukovljak 13 Nov 2008
Tideway Blog