Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 9 subscribers
  • Views 11773 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to delete files immediately once they have been detected as a virus?

Hoxe Wekuto

For now it only deletes files on open, but I want to know if it is also possible to delete immediately after detection. I'm using the free Sophos antivirus software on a CLI server, so no GUI, on CentOS 6.

 

I use software where you can upload files, which will be stored on a file server. When a virus is uploaded the file does get deleted but if you want to open the file in the program (at this point the file gets deleted) it keeps loading until a timeout. When you want to open it a second time then there is a message of a missing file. So I want the file deleted immediately so the user gets the message of missing file immediately.

 

Thanks!



This thread was automatically locked due to age.
  • 0

    Hello Hoxe Wekuto,

    I'm not sure I understand the sequence of events. You are using On-Access (Talpa or Fanotify?) scanning? AFAIK Sophos scans on open and an close. In the latter case I can't perform cleanup (disinfect/delete) - please see chapter 15.5 in the Configuration Guide.
    Can't say though why the first open by the program times out - whether cleanup or delete kicks in upon a detection the open request should be denied.

    Christian

  • 0 in reply to QC

    Thanks for your reply!

     

    I already read the configuration guide, but I thought maybe I missed something. I'm using Talpa on-access scanning.

    I think the program times out, becuase when the user clicks to open the file, the file stil excists. And after the request the file gets deleted so the program doesn't know the file isn't there anymore and still tries to contact it. Only on the second try the file is already deleted before the user clicks to open it (the request) so the program can give the message back that the file is not available. That's why I wanted on-write deletion, so the file gets deleted immidiately, and the user gets the message on first try.

     

    Kind regards,

    Hoxe Wekuto

  • 0 in reply to Hoxe Wekuto

    Hello Hoxe Wekuto,

    an open (for read) of a file triggering a detection should fail, or at least a subsequent attempt to read its contents. Dpesn't matter what the scanner does in response to the detection. If you don't configure cleanup access is simply blocked. A repeated open will fail in the same manner. It's AFAIK not supposed to principally cause a timeout. Guess it depends on the programs' "expectations" and how it handles the error.

    Christian    

  • 0 in reply to QC

    Sophos is configured correctly, it correctly deletes malicious software files on-access. It's just that it would be better if it was able to delete files on-write, but since you said it isn't available, I guess it stops here.

     

    Thanks for your help though!

  • 0 in reply to Hoxe Wekuto

    Hello Hoxe Wekuto,

    as for an applications behaviour, did some tests with gedit and the EICAR Anti-Malware Testfile. If you insert the string and Save the file gedit tries to read it back. There's a considerable delay and the subsequent behaviour depends on automatic cleanup. If disabled it looks like the file has been saved (indeed it has), a subsequent Save attempt though results in a Could not be saved error. If cleanup is enabled the first Save results in a Not found error.
    There are practically no AV-aware applications and file-systems (regardless of the OS). AV-aware in the sense that both the file system and the application can gracefully handle surprisingly blocked and suddenly disappearing files. You see the issues with delete on open. Failing the close or deleting after close could have worse consequences (at least IMO, maybe can give more information). And only specialized applications make use of write only files.

    Christian 

  • 0 in reply to QC

    Yes that is the same result I got when I tested with the EICAR string. I just want the file to be deleted after it is written (or saved in this case), which is not possible.

Unfiltered HTML