Rolling out a custom TBP to multiple computers with Sophos Anti-Virus for Linux v 9

  • Article ID: 118374
  • Updated: 11 Oct 2013

Sophos does not provide TBPs (Talpa Binary Packs) for all Linux kernels. This article describes how to install the necessary prerequisites and create TBPs for other kernels, without the need to install additional tools on each computer.

Note: This procedure is only necessary if you are using Talpa as the on-access scanning method. An alternative method (Fanotify) is available for customers running 2.6.38+:

Summary of procedure:
  1. Build the TBP on one computer (let's call it the 'Primary client') with all prerequisites installed.
  2. Add the custom TBP you have just created to one of the following:
    • Option 1 - a Unix/Linux-mounted CID
    • Option 2 - the 'Primary client' cache directory.
  3. Other computers (let's call them 'Secondary clients') that use the same kernel can then use either of these as an update source. 
  4. These 'Secondary clients' don't have to build their own TBPs, they can just use the TBP built by the Primary client, provided they use the same kernel.

What To Do

  1. Make sure all requirements mentioned in the knowledgebase article Sophos Anti-Virus for Linux: Using a custom built or unsupported kernel are fulfilled.
  2. Install Sophos Anti-Virus on your 'Primary client'. (If it is already installed you do not need to re-install.)
  3. Run the command /opt/sophos-av/engine/talpa_select select

    This builds a custom TBP which should be located in /opt/sophos-av/talpa/compiled. It will be called something like talpa-binpack-centos_2.6.18-164.11.1.el5.tar.gz

  4. Now follow either Option 1 or Option 2.

Option 1. Add a TBP to a Unix/Linux-mounted CID:

  1. Mount your CID from the Primary client. For the purposes of this example, let's assume you use SUM and have mounted the CID to /opt/SUM
    • Example 1: Set up a SAMBA server on your Unix/Linux Machine. Configure SUM to use it as a custom CID location (Refer to SUM manual for further details).
    • Example 2: Use smbmount to mount the default CID location on a SUM machine to your Unix/Linux machine. Make sure it is mounted writeable.
  2. Use the addextra command to add TBPs to the CID.  For example:  

    /opt/sophos-av/update/addextra /opt/sophos-av/talpa/compiled/talpa-binpack-centos_2.6.18-164.11.1.el5.tar.gz /opt/SUM/CIDs/S000/savlinux/ --signing-key=/root/certificates/extrafiles-signing.key --signing-certificate=/root/certificates/extrafiles-signing.crt

    NB.  An article explaining how to generate the signing certificates for use with addextra can be found here

    This command will add the TBP to /opt/SUM/CIDs/S000/savlinux/talpa-custom

  3. Point Secondary clients to this CID as their update location.
Option 2 - Add a TBP to the Primary Client's local cache directory:
  1. Use the addextra command to add TBPs to the local cache directory:

    /opt/sophos-av/update/addextra /opt/sophos-av/talpa/compiled/talpa-binpack-centos_2.6.18-164.11.1.el5.tar.gz /opt/sophos-av/update/cache/Primary/ --signing-key=/root/certificates/extrafiles-signing.key --signing-certificate=/root/certificates/extrafiles-signing.crt

    NB. An article explaining how to generate the signing certificates for use with addextra can be found here

    This command will add the TBP to the local cache directory /opt/sophos-av/update/cache/Primary/talpa-custom

  2. Use rsync or cp to create a local copy of /opt/sophos-av/update/cache/Primary at an alternative location on the Primary client's hard disk. This can be automated via script.

  3. Use a third-party means (for example, NFS, SAMBA, or HTTP) to share this copy of the local cache and point 'Secondary clients' to it as their update location

  4. By default, a client (whether primary or secondary) will only download the TBPs it needs to activate its own on-access scanning. This is done to save bandwidth and disk space. Therefore, you may want the primary client to download and store TBPs for all supported kernels automatically. See the article: Hosting Talpa Binary Packs for all kernels/distributions.

Troubleshooting:

  • If 'Secondary clients' fail to use the TBP provided by the above method, check the following:
    • Ensure the Secondary client's local cache directory contains the TBP:
      ls /opt/sophos-av/talpa/custom
    • Ensure the Secondary client is using the same kernel as the Primary client. Compare the output of ls /opt/sophos-av/talpa/custom with the output of /opt/sophos-av/engine/talpa-select requiredpackname.

      If a different kernel is being used you must create another TBP for this Secondary client. You can use the above procedure to add this to your CID to provide a TBP for other computers with the same kernel.
  • If it still fails please contact Sophos Technical Support.

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments