Amavis/amavis-new is shipped on most distributions preconfigured with the ClamAV virus scanner and, although ClamAV can be configured to use additional signatures, amavis supports using multiple anti-virus programs to check incoming mail. Sophos is an anti-virus that has a free version available with no integrated support - however, the software comes in full form, with all signatures, and is able to scan mail attachments via amavis.

• Sophos antivirus sav-linux-free-9.tgz - will require signing-up with Sophos.
• SAV Dynamic Interface - the connector used for amavis to talk to Sophos.

Extracting sav-linux-free-9.tgz to /opt/ will create the directory /opt/sophos-av which should be renamed to /opt/sophos-av-install to prevent collisions with the Sophos installation. To install Sophos, change directory to /opt/sophos-av-install and issue:

./install.sh

and follow the instructions.

Next, change directory to /opt/sophos-av/update and issue:

./savupdate.sh

to update Sophos - this takes care of fetching the kernel module or compiling one locally.

Now that Sophos is installed at /opt/sophos-av, the dynamic interface (savdi) should be installed. Copy savdi-linux-64bit.tar to /opt/ and unpack the archive. Unpacking should result in a directory created at /opt/savdi-install. To install, change directory to /opt/savdi-install and issue:

savdi_install.sh

and follow the instructions.

The installation of savdi places files under /usr/local and should be configured for use with amavis. Create a backup of /usr/local/savdi/savdid.conf and replace the contents with the following:

# location of Sophos installation
virusdatadir: /opt/sophos-av/lib/sav
idedir: /opt/sophos-av/lib/sav

# PID file used for tracking daemon
pidfile: /var/run/savdid/savdid.pid

channel {
    commprotocol {
        type: UNIX
        socket: /var/run/savdid/savdid.sock
        user: amavis
        group: amavis
        requesttimeout: 120
        sendtimeout: 2
        recvtimeout: 5
    }

    scanprotocol {
        type: SOPHIE
        allowscandir: SUBDIR
        maxscandata: 500000
        maxmemorysize: 250000
        tmpfilestub: /tmp/savid_tmp
    }

    scanner {
        type: SAVI
        inprocess: YES
        maxscantime: 3
        maxrequesttime: 10
        deny: /dev
        deny: /home
        savigrp: GrpArchiveUnpack 0
        savigrp: GrpInternet 1
        savists: Xml 1
    }
}

log {
    # Specify the logging mechanism {CONSOLE|FILE|SYSLOG}
    type: FILE

    # Where to write the log files (if FILE is selected)
    logdir: /var/log/savdid/

    # Specify the level of logging required
    # 0 = errors+threats
    # 1 = (0) + process events
    # 2 = (1) + session events
    # Default is 2   
    loglevel: 2 
}

The configuration will create a socket at /var/run/savdid/savdid.sock that can then be used by amavis to check mails for viruses.

Some folders will have to be created, so issue:

mkdir -p /var/run/savdid

to create the directory where the PID file will be created and then issue:

mkdir -p /var/log/savdid 

to create the directory where savdid will place log files.

For amavis to connect to Sophos, savdi has to run in the background and for that, an init script can be placed at /etc/init.d/savdid with the following contents:

#! /bin/sh
#
# savdid        /etc/init.d/ initscript for savdid
### BEGIN INIT INFO
# Provides:          savdid
# Required-Start:    $syslog $network $local_fs $remote_fs
# Required-Stop:     $syslog $network $local_fs $remote_fs
# Should-Start:
# Should-Stop:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Starts savdid AntiVirus
# Description:       Launches the savdid AntiVirus daemon
### END INIT INFO
 
PATH=/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/bin/savdid
NAME=savdid
DAEMONNAME=savdid
DESC=savdid
PIDFILE=/var/run/savdid/${NAME}.pid
 
. /lib/lsb/init-functions
 
test -f ${DAEMON} || exit 0
 
set -e
 
START="--start --quiet --pidfile $PIDFILE --exec ${DAEMON}"
STOP="--stop --quiet --pidfile $PIDFILE"
PARAMS="-d -c /usr/local/savdi/savdid.conf"
 
case "$1" in
  start)
        echo -n "Starting $DESC: "
        mkdir -p /var/run/savdid
        if start-stop-daemon ${START} -- ${PARAMS} >/dev/null ; then
                echo "savdid."
        else
                if start-stop-daemon --test ${START} >/dev/null 2>&1; then
                        echo "(failed)."
                        exit 1
                else
                        echo "(already running)."
                        exit 0
                fi
        fi
        ;;
  stop)
        echo -n "Stopping $DESC: "
        if start-stop-daemon ${STOP} --retry 10 >/dev/null ; then
                echo "savdid."
        else
                if start-stop-daemon --test ${START} >/dev/null 2>&1; then
                        echo "(not running)."
                        exit 0
                else
                        echo "(failed)."
                        exit 1
                fi
        fi
        ;;
  restart|force-reload)
        $0 stop
        exec $0 start
        ;;
  status)
        status_of_proc -p $PIDFILE $DAEMON $NAME && exit 0 || exit $?
        ;;
  *)
        N=/etc/init.d/savdid
        echo "Usage: $N {start|stop|restart|force-reload|status}" >&2
        exit 1
        ;;
esac
 
exit 0

and issue:

update-rc.d savdid defaults
systemctl daemon-reload

to reload all the daemons, followed by:

systemctl start savdid

to start the dynamic interface.

Configuring amavis to use the Sophos dynamic interface to scan for viruses can be done by editing /etc/amavis/conf.d/15-av_scanners and finding the Sophos configuration:

# ### http://www.clanfield.info/sophie/ (http://www.vanja.com/tools/sophie/)
# ['Sophie',
#   \&ask_daemon, ["{}/\n", '/var/run/sophie'],
#   qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
#   qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],

Not much has to be changed, just that the configuration must be made to point to the dynamic interface socket:

  ['Sophie',
    \&ask_daemon, ["{}/\n", '/var/run/savdid/savdid.sock'],
    qr/(?x)^ 0+ ( : | [\000\r\n]* $)/m,  qr/(?x)^ 1 ( : | [\000\r\n]* $)/m,
    qr/(?x)^ [-+]? \d+ : (.*?) [\000\r\n]* $/m ],

Note that the comma at the end , will enable you to configure as many anti-viruses as you like - the next one up on Debian is ClamAV such that amavis will use all the configured anti-viruses.

Additionally, when all primary antivirus programs fail, amavis can run backup programs to ensure that an E-Mail is checked. Sophos is disabled by default due to the command-line program sweep clashing with an audio-related tool. Edit /etc/amavis/conf.d/15-av_scanners and enable Sophos sweep by uncommenting the following lines:

 ['Sophos Anti Virus (sweep)', 'sweep',
   '-nb -f -all -rec -ss -sc -archive -cab -mime -oe -tnef '.
   '--no-reset-atime {}',
   [0,2], qr/Virus .*? found/m,
   qr/^>>> Virus(?: fragment)? '?(.*?)'? found/m,
 ],

Although the free version of Sophos is not supported, all scripts for updating Sophos are already provided and just need to hooked into the system. The Sophos Anti-Virus install contains a script placed at /opt/sophos-av/update/savupdate.sh that can just be called periodically from crontab to update Sophos.

Create a file at /etc/cron.daily/sophos-update with the following contents:

#! /bin/bash
/opt/sophos-av/update/savupdate.sh 2&>/dev/null

that will automatically trigger the Sophos update script daily.

Finally, issue:

chmod +x /etc/cron.daily/sophos-update

to make the script executable.

Wizardry and Steamworks provides templates for monitoring savdid that can be installed and enabled in order to make sure that monit handles unexpected terminations of savdid in case of errors.