Я запускаю Sophos AV на сервере Centos 7.
Сканер при доступе, кажется, работает для файлов, созданных вручную, но не для файлов, созданных при загрузке.
Я используя тестовую строку EICAR X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* для запуска сканера.
- Создание файла на сервере - SophosAV обнаруживает и помещает его в карантин.
- Загрузить файл через медиа-меню Wordpress, файл загружен на
/var/www/assets/uploads/2020/03/eicar.jpg - Файл НЕ обнаружен . - Выполнить
/opt/sophos-av/savscan /var/www/assets/uploads/2020/03 - обнаружен загруженный файл - Выполнить
cat /var/www/assets/uploads/2020/03/eicar.jpg > /var/www/assets/uploads/2020/03/eicar2.jpg - Обнаружен вновь созданный файл, исходный игнорируется. - Загруженный файл можно получить доступ к + загрузить через браузер без проблем из Sophos.
Я ограничиваю типы файлов, которые можно загружать через серверную часть, но я хочу, чтобы Sophos также сканировал их для увеличения security.
Я делаю что-то не так или неправильно понимаю что-то фундаментальное о том, как работает Sophos по требованию?
РЕДАКТИРОВАТЬ
Следуя ответу Дугласа Лидера ниже Я удалил -open из TalpaOperations, что должно включать сканирование при доступе при чтении файла, а также запись в него.
Я также вычел Wordpress из уравнения и просто сделал простой PHP скрипт загрузки, который берет файл из $_POST и запускает
rename($_FILES['file']['tmp_name'], 'var/www/uploads'.$_FILES['file']['name']);`
для перемещения загруженного файла.
Сама загрузка выполняется нормально, но теперь я не могу cat загруженный файл (даже как root)
$ cat eicar
cat: eicar: Operation not permitted
// Sophos log
<log>
<category>log.threat</category>
<level>ERROR</level>
<domain>savscand</domain>
<msg>NOTIFY-THREAT-INFECTED-NO-ACCESSED-PATH</msg>
<time>1583232176</time>
<arg>/var/www/uploads/eicar</arg>
<arg>EICAR-AV-Test</arg>
<arg>OPERATION_OPEN</arg>
</log>
Однако я все еще могу открыть / загрузить файл через браузер.
Это похоже на то, как процесс HTTPD каким-то образом может получить доступ для чтения / записи к файловой системе таким образом, чтобы обойти Sophos / Talpa.
$ sudo /opt/sophos-av/bin/savscan -v
SAVScan virus detection utility
Copyright (c) 1989-2020 Sophos Limited. All rights reserved.
System time 12:09:37, System date 02 March 2020
Product version : 5.63.0
Engine version : 3.77.1
Virus data version : 5.72
User interface version : 2.03.077
Platform : Linux/AMD64
Released : 04 February 2020
Total viruses (with IDEs) : 46940998
Information on additional data files:
Data file name : /opt/sophos-av/lib/sav/spy-ayt.ide
Data file type : IDE
Data file date : 07 January 2020, 14:48:22
Data file status : Loaded
... Lots more data files ...
# savd.cfg #
<?xml version="1.0"?>
<SophosAntiVirus xmlns="savd.xsd">
<Sophos>
<OnAccess>
<EnableOnStart>true</EnableOnStart>
<Quarantine>false</Quarantine>
<TakeActionOnClose>false</TakeActionOnClose>
<RestrictProcessExclusions>false</RestrictProcessExclusions>
<OnEnable>
<StartupTimeoutMs>60000</StartupTimeoutMs>
<Scan/>
<NoScan/>
</OnEnable>
<OnDisable>
<StopTimeoutMs>30000</StopTimeoutMs>
<ScanTimeoutMs>10000</ScanTimeoutMs>
<Scan/>
<NoScan/>
</OnDisable>
<Scanner>
<HookModule>talpa_vfshook</HookModule>
<Processes>2</Processes>
<ThreadsPerProcess>5</ThreadsPerProcess>
<AdaptiveThreading>true</AdaptiveThreading>
<MaximumThreads>5</MaximumThreads>
<MissingHeartbeatDurationSec>60</MissingHeartbeatDurationSec>
<AutomaticAction/>
<DenyOnDetectionError>false</DenyOnDetectionError>
<DenyOnOperatingSystemError>true</DenyOnOperatingSystemError>
<DenyOnCorruptFile>false</DenyOnCorruptFile>
<AllowIfEncrypted>false</AllowIfEncrypted>
<AllowIfPartVolume>false</AllowIfPartVolume>
<AllowIfNotSupported>false</AllowIfNotSupported>
<AllowCorruptInCleanArchive>true</AllowCorruptInCleanArchive>
<TalpaDevicePath>/dev/sophos-vc</TalpaDevicePath>
<TalpaVettingTimeoutMs>100</TalpaVettingTimeoutMs>
<TalpaVettingGroup>0</TalpaVettingGroup>
<FileCacheSizeBytes>4096</FileCacheSizeBytes>
<UseExtendedRegex>true</UseExtendedRegex>
<GracePeriods>
<StopTimeoutMs>20000</StopTimeoutMs>
<KillTimeoutMs>2000</KillTimeoutMs>
</GracePeriods>
<RespawnThrottling>
<Limit>5</Limit>
<Max>10</Max>
<PeriodDurationMs>20000</PeriodDurationMs>
</RespawnThrottling>
<ExclusionEncodings>UTF-8</ExclusionEncodings>
<ExclusionEncodings>EUC-JP</ExclusionEncodings>
<ExclusionEncodings>ISO-8859-1</ExclusionEncodings>
<FileExclusions>
<Glob/>
<Expression/>
</FileExclusions>
<MountExclusions>
<DeviceExpression/>
<DeviceGlob/>
<MountpointExpression/>
</MountExclusions>
<ThreatDetection>
<U32>
<EnableAutoStop>0</EnableAutoStop>
<ExecFileDisinfection>1</ExecFileDisinfection>
<Xml>0</Xml>
<SXLLiveProtection>0</SXLLiveProtection>
</U32>
<U16/>
<STR/>
<VirusDataDir>./lib/sav</VirusDataDir>
<IdeDir>./lib/sav</IdeDir>
<UseSharedMemory>false</UseSharedMemory>
<SXL>
<ServerList>00010203</ServerList>
<TopLevelDomain>nix.sophosxl.net</TopLevelDomain>
</SXL>
</ThreatDetection>
</Scanner>
<Talpa>
<intercept-filters>
<Cache>
<fstypes>ext3</fstypes>
<fstypes>ext4</fstypes>
<fstypes>ext2</fstypes>
<fstypes>tmpfs</fstypes>
<fstypes>devtmpfs</fstypes>
<fstypes>iso9660</fstypes>
<fstypes>udf</fstypes>
<fstypes>xfs</fstypes>
<fstypes>reiserfs</fstypes>
<fstypes>jfs</fstypes>
<fstypes>vfat</fstypes>
<fstypes>msdos</fstypes>
<fstypes>ntfs</fstypes>
<fstypes>hfs</fstypes>
<fstypes>minix</fstypes>
<fstypes>ramfs</fstypes>
<fstypes>romfs</fstypes>
<fstypes>ufs</fstypes>
<fstypes>umsdos</fstypes>
<fstypes>xenix</fstypes>
<fstypes>cramfs</fstypes>
<status>enable</status>
</Cache>
<DebugSyslog>
<status>disable</status>
</DebugSyslog>
<FilesystemExclusionProcessor>
<paths/>
<fstypes/>
</FilesystemExclusionProcessor>
<FilesystemInclusionProcessor>
<status>false</status>
<include-path>/</include-path>
</FilesystemInclusionProcessor>
<VettingController>
<timeout-ms>10000</timeout-ms>
<fs-timeout-ms>60000</fs-timeout-ms>
<timeout-deny>true</timeout-deny>
<xsmartsched-fix>true</xsmartsched-fix>
<interruptible>false</interruptible>
</VettingController>
</intercept-filters>
</Talpa>
<Fanotify>
<ExcludeFilesystems/>
</Fanotify>
<PreferFanotify>false</PreferFanotify>
<DisableFanotify>true</DisableFanotify>
</OnAccess>
<Notification>
<debug>False</debug>
<QueueLimit>50</QueueLimit>
<Notifiers>
<Log>
<Status>True</Status>
<Location>./log</Location>
<Prefix>savd</Prefix>
<MaxSizeMiB>100</MaxSizeMiB>
<ErrorCategory>log.error</ErrorCategory>
<ThreatCategory>log.threat</ThreatCategory>
</Log>
<Syslog>
<Status>True</Status>
<Facility>DAEMON</Facility>
</Syslog>
<UI>
<Status>enabled</Status>
<ttynotification>True</ttynotification>
<popupNotification>True</popupNotification>
<Message>
<ContactMessage/>
</Message>
</UI>
<Email>
<Status>enabled</Status>
<Server>localhost:25</Server>
<SendThreatEmail>true</SendThreatEmail>
<SendScanErrorEmail>true</SendScanErrorEmail>
<SendErrorEmail>true</SendErrorEmail>
<SendLogEmailLevel>FATAL</SendLogEmailLevel>
<SendDemandSummaryAlways>false</SendDemandSummaryAlways>
<SendDemandSummaryIfThreat>true</SendDemandSummaryIfThreat>
<Message>
<ThreatMessage/>
<ScanErrorMessage/>
<LogMessage/>
</Message>
<EmailLanguage>English</EmailLanguage>
<AlwaysSend>
<MsgID>USING_BACKUP_CONFIGURATION</MsgID>
<MsgID>ALL_UPDATE_SOURCES_FAILED</MsgID>
<MsgID>RESPAWN-LIMIT</MsgID>
<MsgID>VIRUS-DATA-OLD</MsgID>
<MsgID>TALPA-FAILURE</MsgID>
<MsgID>TALPA-COMPILED</MsgID>
</AlwaysSend>
<Recipient>
<To>root@localhost</To>
</Recipient>
<Log>true</Log>
</Email>
</Notifiers>
</Notification>
<OnDemand>
<LogStartStop>true</LogStartStop>
<LogDetails>true</LogDetails>
</OnDemand>
<Core/>
<WebUI>
<HttpPort>8081</HttpPort>
<Username>admin</Username>
<Password/>
</WebUI>
<CID>
<SophosUpdateLocation locked="true">sdds:SOPHOS</SophosUpdateLocation>
<NotifyOnUpdate>false</NotifyOnUpdate>
<NotifyOnCheck>false</NotifyOnCheck>
</CID>
<Update>
<EnableAutoUpdating>true</EnableAutoUpdating>
<Primary>
<Policy>recommended</Policy>
<UseHttps>true</UseHttps>
</Primary>
<Secondary>
<UseHttps>true</UseHttps>
</Secondary>
<UpdateHttpsAllowDowngradeToHttp>true</UpdateHttpsAllowDowngradeToHttp>
</Update>
<LogPrimaryUpdateError>true</LogPrimaryUpdateError>
<DetectionFeedback>
<MaxQueueSize>8192</MaxQueueSize>
<LookupDomain>samples.sophosxl.net</LookupDomain>
<UploadURL>samples.sophosxl.net</UploadURL>
<UploadFiles>false</UploadFiles>
<UploadTimeout>120</UploadTimeout>
</DetectionFeedback>
</Sophos>
<Corporate/>
<ConsoleAV>
<OnAccess>
<EnableOnStart>1</EnableOnStart>
<Scanner>
<ThreatDetection>
<U32>
<FullSweep>0</FullSweep>
<SfxArchives>0</SfxArchives>
<ZipDecompression>0</ZipDecompression>
<ArjDecompression>0</ArjDecompression>
<RarDecompression>0</RarDecompression>
<UueDecompression>0</UueDecompression>
<GZipDecompression>0</GZipDecompression>
<Deflate>0</Deflate>
<CmzDecompression>0</CmzDecompression>
<MSCabinet>0</MSCabinet>
<ISCabinet>0</ISCabinet>
<LZMAAlone>0</LZMAAlone>
<Brotli>0</Brotli>
<TarDecompression>0</TarDecompression>
<Lha>0</Lha>
<MSCompress>0</MSCompress>
<HqxDecompression>0</HqxDecompression>
<MbinDecompression>0</MbinDecompression>
<AppleSingle>0</AppleSingle>
<Bzip2>0</Bzip2>
<Sis>0</Sis>
<Szip>0</Szip>
<Xar>0</Xar>
<Egg>0</Egg>
<Alz>0</Alz>
<CustomExtract>0</CustomExtract>
<UnixArchive>0</UnixArchive>
<Rpm>0</Rpm>
<SXLLiveProtection>1</SXLLiveProtection>
</U32>
</ThreatDetection>
<AllowIfBootSectorThreat>0</AllowIfBootSectorThreat>
<FileExclusions>
<Glob>/tmp/clamav*</Glob>
<Glob>/tmp/odeiavir*</Glob>
<Glob>/var/www/vhosts/system/*/logs/*log*</Glob>
<Glob>/var/www/vhosts/system/*/statistics/logs/*log*</Glob>
<Glob>/var/www/vhosts/*/logs/*_log*</Glob>
<Expression/>
</FileExclusions>
<AutomaticAction/>
</Scanner>
<Talpa>
<intercept-filters>
<FilesystemExclusionProcessor>
<paths>/boot/efi/</paths>
<paths>/dev/shm/</paths>
<paths>/opt/app/oracle/</paths>
<paths>/opt/oracle/</paths>
<paths>/opt/simpana/</paths>
<paths>/oratmp/</paths>
<paths>/run/</paths>
<paths>/tmp/hsperfdata_oracle/</paths>
<paths>/u01/app/</paths>
<paths>/u02/oradata/</paths>
<paths>/u03/oradata/</paths>
<paths>/usr/local/pgsql/data/</paths>
<paths>/usr/local/psa/</paths>
<paths>/var/drweb/</paths>
<paths>/var/hsphere/</paths>
<paths>/var/lib/lxcfs/</paths>
<paths>/var/lib/mysql/</paths>
<paths>/var/lib/mysqlbackup/</paths>
<paths>/var/lib/mysqllogs/</paths>
<paths>/var/lib/mysqltmp/</paths>
<paths>/var/lib/pgsql/</paths>
<paths>/var/lock/</paths>
<paths>/var/log/</paths>
<paths>/var/qmail/</paths>
<paths>/var/run/</paths>
<paths>/var/spool/</paths>
<paths>/var/tmp/.oracle/</paths>
<fstypes append="true"/>
<status>1</status>
</FilesystemExclusionProcessor>
</intercept-filters>
</Talpa>
<Quarantine>1</Quarantine>
<TakeActionOnClose>1</TakeActionOnClose>
<WindowsAllExtensions>0</WindowsAllExtensions>
<WindowsNoExtension>1</WindowsNoExtension>
<WindowsExtensionExclusions>AVHD</WindowsExtensionExclusions>
<WindowsExtensionExclusions>AVHDX</WindowsExtensionExclusions>
<WindowsExtensionExclusions>BAK</WindowsExtensionExclusions>
<WindowsExtensionExclusions>CHK</WindowsExtensionExclusions>
<WindowsExtensionExclusions>EDB</WindowsExtensionExclusions>
<WindowsExtensionExclusions>FRM</WindowsExtensionExclusions>
<WindowsExtensionExclusions>FWD</WindowsExtensionExclusions>
<WindowsExtensionExclusions>GSC</WindowsExtensionExclusions>
<WindowsExtensionExclusions>GSE</WindowsExtensionExclusions>
<WindowsExtensionExclusions>LDF</WindowsExtensionExclusions>
<WindowsExtensionExclusions>LOG</WindowsExtensionExclusions>
<WindowsExtensionExclusions>MBX</WindowsExtensionExclusions>
<WindowsExtensionExclusions>MDF</WindowsExtensionExclusions>
<WindowsExtensionExclusions>MYD</WindowsExtensionExclusions>
<WindowsExtensionExclusions>MYI</WindowsExtensionExclusions>
<WindowsExtensionExclusions>NDF</WindowsExtensionExclusions>
<WindowsExtensionExclusions>SDS</WindowsExtensionExclusions>
<WindowsExtensionExclusions>SMD</WindowsExtensionExclusions>
<WindowsExtensionExclusions>TRN</WindowsExtensionExclusions>
<WindowsExtensionExclusions>UND</WindowsExtensionExclusions>
<WindowsExtensionExclusions>UNF</WindowsExtensionExclusions>
<WindowsExtensionExclusions>UNH</WindowsExtensionExclusions>
<WindowsExtensionExclusions>UNI</WindowsExtensionExclusions>
<WindowsExtensionExclusions>UNQ</WindowsExtensionExclusions>
<WindowsExtensionExclusions>UNS</WindowsExtensionExclusions>
<WindowsExtensionExclusions>VAC</WindowsExtensionExclusions>
<WindowsExtensionExclusions>VHD</WindowsExtensionExclusions>
<WindowsExtensionExclusions>VHDX</WindowsExtensionExclusions>
<WindowsExtensionExclusions>VMDX</WindowsExtensionExclusions>
<WindowsExtensionExclusions>VSV</WindowsExtensionExclusions>
<WindowsExtensionExclusions>WCI</WindowsExtensionExclusions>
<WindowsExtensionInclusions/>
<WindowsExclusion>C:\Clusterstorage\</WindowsExclusion>
<WindowsExclusion>C:\Imail\Imail\Spool\</WindowsExclusion>
<WindowsExclusion>C:\inetpub\temp\IIS Temporary Compressed Files\</WindowsExclusion>
<WindowsExclusion>C:\Program Files (x86)\Dell\</WindowsExclusion>
<WindowsExclusion>C:\Program Files (x86)\Urchin\</WindowsExclusion>
<WindowsExclusion>
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\
</WindowsExclusion>
<WindowsExclusion>C:\Program Files\CommVault Systems\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\CommVault\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Dell\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Double-Take Software\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\DoubleTake\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Exchsrvr\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Ipswitch\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\LogMeIn\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\MegaRAID\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Microsoft Monitoring Agent\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Microsoft Office Servers\</WindowsExclusion>
<WindowsExclusion>
C:\Program Files\Microsoft System Center 2012 R2\Server\
</WindowsExclusion>
<WindowsExclusion>C:\Program Files\MxUptime\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Operations Manager\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Parallels\</WindowsExclusion>
<WindowsExclusion>
C:\Program Files\System Center Operations Manager 2007\
</WindowsExclusion>
<WindowsExclusion>C:\Program Files\System Center Operations Manager\</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Urchin\</WindowsExclusion>
<WindowsExclusion>C:\ProgramData\Microsoft\SharePoint\</WindowsExclusion>
<WindowsExclusion>C:\rs-pkgs\</WindowsExclusion>
<WindowsExclusion>C:\SmarterMail\</WindowsExclusion>
<WindowsExclusion>C:\System Volume Information\DFSR\</WindowsExclusion>
<WindowsExclusion>C:\Sysvol\</WindowsExclusion>
<WindowsExclusion>
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\
</WindowsExclusion>
<WindowsExclusion>
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\
</WindowsExclusion>
<WindowsExclusion>
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\
</WindowsExclusion>
<WindowsExclusion>
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\
</WindowsExclusion>
<WindowsExclusion>
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\
</WindowsExclusion>
<WindowsExclusion>
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\
</WindowsExclusion>
<WindowsExclusion>
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\
</WindowsExclusion>
<WindowsExclusion>
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\
</WindowsExclusion>
<WindowsExclusion>C:\Windows\NTDS\</WindowsExclusion>
<WindowsExclusion>C:\Windows\SoftwareDistribution\Datastore\</WindowsExclusion>
<WindowsExclusion>C:\Windows\System32\inetsrv\config\</WindowsExclusion>
<WindowsExclusion>C:\Windows\System32\LogFiles\</WindowsExclusion>
<WindowsExclusion>C:\Windows\Sysvol\</WindowsExclusion>
<WindowsExclusion>C:\Windows\Syswow64\LogFiles\</WindowsExclusion>
<WindowsExclusion>C:\Windows\Temp\Gthrsvc\</WindowsExclusion>
<WindowsExclusion>C:\Winnt\Temp\Gthrsvc\</WindowsExclusion>
<WindowsExclusion>HealthService.exe</WindowsExclusion>
<WindowsExclusion>ManagementService.exe</WindowsExclusion>
<WindowsExclusion>Microsoft.Mom.ConfigServiceHost.exe</WindowsExclusion>
<WindowsExclusion>Microsoft.Mom.Sdk.Service.exe</WindowsExclusion>
<WindowsExclusion>MonitoringHost.exe</WindowsExclusion>
<WindowsExclusion>MSMDSrv.exe</WindowsExclusion>
<WindowsExclusion>pagefile.sys</WindowsExclusion>
<WindowsExclusion>ReportingServicesService.exe</WindowsExclusion>
<WindowsExclusion>SQLServr.exe</WindowsExclusion>
<WindowsExclusion>vmh.exe</WindowsExclusion>
<WindowsExclusion>vmms.exe</WindowsExclusion>
<WindowsExclusion>vmwp.exe</WindowsExclusion>
<WindowsExclusion>C:\Program Files\Microsoft System Center\</WindowsExclusion>
<WindowsExcludeRemoteFiles>0</WindowsExcludeRemoteFiles>
<WindowsFileRead>0</WindowsFileRead>
<WindowsFileWrite>1</WindowsFileWrite>
<WindowsFileRename>1</WindowsFileRename>
</OnAccess>
<ContinuousScan>
<WindowsKernelMemoryScan>1</WindowsKernelMemoryScan>
</ContinuousScan>
<OnDemand>
<NamedScanList>SEC:FullSystemScan</NamedScanList>
<NamedScans>
<RichElement element_name="SEC:FullSystemScan" encoding="quoted printable">
scanHardDrives=3Dtrue=0AscanOpticalDrives=3Dtrue=0AscanNetworkFilesystems=3Dfalse=0AscanRemovableDevices=3Dtrue=0AscanWindowsKernelMemory=3Dfalse=0AscanLevel=3Dnormal=0AscanArchives=3Dfalse=0Adisinfect=3Dfalse=0AthreatAction=3Ddonothing=0Aexclude=3D/boot/efi/=0Aexclude=3D/dev/shm/=0Aexclude=3D/opt/app/oracle/=0Aexclude=3D/opt/shm/=0Aexclude=3D/opt/simpana/=0Aexclude=3D/oratemp/=0Aexclude=3D/run/=0Aexclude=3D/tmp/clamav*=0Aexclude=3D/tmp/hsperfdata_oracle/=0Aexclude=3D/tmp/odeiavir*=0Aexclude=3D/u01/app/=0Aexclude=3D/u02/oradata/=0Aexclude=3D/u03/oradata/=0Aexclude=3D/usr/local/pgsql/data/=0Aexclude=3D/usr/local/psa/=0Aexclude=3D/var/drweb/=0Aexclude=3D/var/hsphere/=0Aexclude=3D/var/lib/mysql/=0Aexclude=3D/var/lib/mysqlbackup/=0Aexclude=3D/var/lib/mysqllogs/=0Aexclude=3D/var/lib/mysqltmp/=0Aexclude=3D/var/lib/pgsql/=0Aexclude=3D/var/lock/=0Aexclude=3D/var/log/=0Aexclude=3D/var/named/chroot/=0Aexclude=3D/var/qmail/=0Aexclude=3D/var/run/=0Aexclude=3D/var/spool/=0Aexclude=3D/var/tmp/.oracle/=0Aexclude=3D/var/www/vhosts/system/*/logs/*log*=0Aexclude=3D/var/www/vhosts/system/*/statistics/logs/*log*=0Aexclude=3D/var/www/vhosts/*/logs/*_log*=0AwindowsExclusion=3DC:\Clusterstorage\=0AwindowsExclusion=3DC:\Imail\Imail\Spool\=0AwindowsExclusion=3DC:\inetpub\temp\IIS Temporary Compressed Files\=0AwindowsExclusion=3DC:\Program Files (x86)\Dell\=0AwindowsExclusion=3DC:\Program Files (x86)\Urchin\=0AwindowsExclusion=3DC:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\=0AwindowsExclusion=3DC:\Program Files\CommVault Systems\=0AwindowsExclusion=3DC:\Program Files\CommVault\=0AwindowsExclusion=3DC:\Program Files\Dell\=0AwindowsExclusion=3DC:\Program Files\Double-Take Software\=0AwindowsExclusion=3DC:\Program Files\DoubleTake\=0AwindowsExclusion=3DC:\Program Files\Exchsrvr\=0AwindowsExclusion=3DC:\Program Files\Ipswitch\=0AwindowsExclusion=3DC:\Program Files\LogMeIn\=0AwindowsExclusion=3DC:\Program Files\MegaRAID\=0AwindowsExclusion=3DC:\Program Files\Microsoft Monitoring Agent\=0AwindowsExclusion=3DC:\Program Files\Microsoft Office Servers\=0AwindowsExclusion=3DC:\Program Files\Microsoft System Center 2012 R2\Server\=0AwindowsExclusion=3DC:\Program Files\MxUptime\=0AwindowsExclusion=3DC:\Program Files\Operations Manager\=0AwindowsExclusion=3DC:\Program Files\Parallels\=0AwindowsExclusion=3DC:\Program Files\System Center Operations Manager 2007\=0AwindowsExclusion=3DC:\Program Files\System Center Operations Manager\=0AwindowsExclusion=3DC:\Program Files\Urchin\=0AwindowsExclusion=3DC:\ProgramData\Microsoft\SharePoint\=0AwindowsExclusion=3DC:\rs-pkgs\=0AwindowsExclusion=3DC:\SmarterMail\=0AwindowsExclusion=3DC:\System Volume Information\DFSR\=0AwindowsExclusion=3DC:\Sysvol\=0AwindowsExclusion=3DC:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\=0AwindowsExclusion=3DC:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\=0AwindowsExclusion=3DC:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\=0AwindowsExclusion=3DC:\Windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\=0AwindowsExclusion=3DC:\Windows\Microsoft.NET\Framework64\v2.0.50727\Config\=0AwindowsExclusion=3DC:\Windows\Microsoft.NET\Framework64\v2.0.50727\Temporary ASP.NET Files\=0AwindowsExclusion=3DC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\=0AwindowsExclusion=3DC:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\=0AwindowsExclusion=3DC:\Windows\NTDS\=0AwindowsExclusion=3DC:\Windows\SoftwareDistribution\Datastore\=0AwindowsExclusion=3DC:\Windows\System32\inetsrv\config\=0AwindowsExclusion=3DC:\Windows\System32\LogFiles\=0AwindowsExclusion=3DC:\Windows\Sysvol\=0AwindowsExclusion=3DC:\Windows\Syswow64\LogFiles\=0AwindowsExclusion=3DC:\Windows\Temp\Gthrsvc\=0AwindowsExclusion=3DC:\Winnt\Temp\Gthrsvc\=0AwindowsExclusion=3DHealthService.exe=0AwindowsExclusion=3DManagementService.exe=0AwindowsExclusion=3DMicrosoft.Mom.ConfigServiceHost.exe=0AwindowsExclusion=3DMicrosoft.Mom.Sdk.Service.exe=0AwindowsExclusion=3DMonitoringHost.exe=0AwindowsExclusion=3DMSMDSrv.exe=0AwindowsExclusion=3Dpagefile.sys=0AwindowsExclusion=3DReportingServicesService.exe=0AwindowsExclusion=3DSQLServr.exe=0AwindowsExclusion=3Dvmh.exe=0AwindowsExclusion=3Dvmms.exe=0AwindowsExclusion=3Dvmwp.exe=0AscanAll=3Dfalse=0AscanFilesWithoutExtension=3Dtrue=0AexcludeExtension=3DAVHD=0AexcludeExtension=3DAVHDX=0AexcludeExtension=3DBAK=0AexcludeExtension=3DCHK=0AexcludeExtension=3DFRM=0AexcludeExtension=3DFWD=0AexcludeExtension=3DGSC=0AexcludeExtension=3DGSE=0AexcludeExtension=3DLDF=0AexcludeExtension=3DLOG=0AexcludeExtension=3DMBX=0AexcludeExtension=3DMDF=0AexcludeExtension=3DMYD=0AexcludeExtension=3DMYI=0AexcludeExtension=3DNDF=0AexcludeExtension=3DSDS=0AexcludeExtension=3DSMD=0AexcludeExtension=3DTRN=0AexcludeExtension=3DUND=0AexcludeExtension=3DUNF=0AexcludeExtension=3DUNH=0AexcludeExtension=3DUNI=0AexcludeExtension=3DUNQ=0AexcludeExtension=3DUNS=0AexcludeExtension=3DVAC=0AexcludeExtension=3DVHD=0AexcludeExtension=3DVHDX=0AexcludeExtension=3DVMDX=0AexcludeExtension=3DVSV=0AexcludeExtension=3DWCI=0AexcludeExtension=3DEDB=0AdropFileCache=3Dtrue=0A
</RichElement>
</NamedScans>
</OnDemand>
<Notification>
<Notifiers>
<UI>
<Status>1</Status>
<popupNotification>1</popupNotification>
<ttynotification>1</ttynotification>
<Message>
<ContactMessage/>
</Message>
</UI>
<Email>
<EmailLanguage>english</EmailLanguage>
<SendScanErrorEmail>0</SendScanErrorEmail>
<Server/>
<Sender/>
<ReplyTo/>
<SendThreatEmail>0</SendThreatEmail>
<Status>0</Status>
<Message>
<ThreatMessage/>
<ScanErrorMessage/>
<LogMessage/>
</Message>
<Recipient>
<To/>
</Recipient>
</Email>
</Notifiers>
</Notification>
<DetectionFeedback>
<UploadFiles>1</UploadFiles>
</DetectionFeedback>
</ConsoleAV>
<ConsoleUpdate>
<Update>
<Primary>
<Source locked="true">
http://89.234.28.42/SophosUpdate/CIDs/S001/savlinux
</Source>
<Cache>/opt/sophos-av/update/cache/Primary</Cache>
<Username locked="true"/>
<Password locked="true"/>
<Proxy>
<Address locked="true"/>
<Username locked="true"/>
<Password locked="true"/>
</Proxy>
</Primary>
<Secondary>
<Source locked="true">
http://89.234.28.37/SophosUpdate/CIDs/S001/savlinux
</Source>
<Cache>/opt/sophos-av/update/cache/Secondary</Cache>
<Username locked="true"/>
<Password locked="true"/>
<Proxy>
<Address locked="true"/>
<Username locked="true"/>
<Password locked="true"/>
</Proxy>
</Secondary>
<PeriodMinutes locked="true">240</PeriodMinutes>
<EnableAutoUpdating locked="true">true</EnableAutoUpdating>
</Update>
</ConsoleUpdate>
<Machine/>
<User>
<OnAccess>
<Scanner>
<ThreatDetection>
<U32/>
</ThreatDetection>
</Scanner>
<Talpa>
<intercept-filters>
<VettingController>
<ops>-open</ops>
</VettingController>
</intercept-filters>
</Talpa>
<DisableFanotify>0</DisableFanotify>
<PreferFanotify>1</PreferFanotify>
</OnAccess>
<DetectionFeedback/>
<Update>
<PeriodMinutes>11</PeriodMinutes>
<Primary>
<Source>
http://89.234.28.37/SophosUpdate/CIDs/S001/savlinux/
</Source>
</Primary>
</Update>
<WebUI>
<Password>***</Password>
</WebUI>
</User>
</SophosAntiVirus>