Mount fails with 'protocol driver not attached.' when Sophos Anti-Virus 9.5.1 for Linux is installed

  • Article ID: 120622
  • Rating:
  • 1 customers rated this article 6.0 out of 6
  • Updated: 22 Apr 2014


  • You may have been redirected to this article from article number 162622. This is due to a change in article number.
  • Extended support for SAV for Linux 9.4.1 and 9.5.0 is being provided as a workaround for customers experiencing the mount point issue described in this article, but who do not wish to immediately upgrade to 9.6.1


Attempting to mount a drive on a Linux computer with Sophos Anti-Virus version 9.5.1 (With engine version 3.50) fails with output to the messages syslog that resembles the following:

<> kernel: savscand[x]: segfault at 0000000041b54000 rip 00002b9fa0047578 rsp 0000000041b53ab0 error 6
<kern.warn> kernel: talpa-vetting: [x] Abnormal client exit!
<kern.warn> kernel: talpa-vetting: [x] Abnormal client exit!
<kern.warn> kernel: talpa-vetting: [x] Abnormal client exit!
<kern.warn> kernel: talpa-vetting: [x] Abnormal client exit!
<kern.warn> kernel: talpa-vetting: [x] Abnormal client exit!
<daemon.err> savd: savd.scanner.died: A scan processor unexpectedly terminated with signal: SIGSEGV.

Where [x] represents the process id.

There will also be a generic error output by the mount command may also occur:

mount: protocol driver not attached.

The savd.log file contains the following:


First seen in
Sophos Anti-Virus for Linux 9.5.1

Operating systems

Technical details

The following steps can be used to determine if the Linux computer is affected by this issue:

  1. Check the device name mapped to ‘/’ with the following command.
    mount | grep ‘ / ‘
    Example: /dev/sda11
  2. Remove the last character from the device name found in the step 1.
    mount | grep ‘ / ‘ | awk ‘{ sub(/.$/,””,$1); print $1 }’
    Example: /dev/sda11 -> /dev/sda1
  3. Check if the device exists
    mount | grep ‘ / ‘ | awk ‘{ sub(/.$/,””,$1); print $1 }’ | xargs ls
  4. If Step 3 is true, then check if the device name matches the standard Linux name convention as follows (If it is false then you won't be affected):


    This script can also determine this:

    str=$(mount | grep ‘ / ‘ | awk ‘{ sub(/.$/,””,$1); print $1 }’)
    ls $str
    if [ $? -ne 0 ]; then
    echo $str | grep -w ‘/dev/[she]d[a-z]’

  5. If Step 4 is false, then this issue will occur (If it is true, then you will not be affected).

What To Do

Disable bootsector scanning

In order to workaround the issue you can exclude mounted and un-mounted drives from the on-access bootsector scanning by applying the following savconfig change in a terminal session:

/opt/sophos-av/bin/savconfig set OnAccessOperations -- -mount -umount

Note: This parameter will need to be removed manually in order to restore bootsector scanning after the issue has been fixed.

Engine fix release schedule

Sophos plan to release the virus engine fix in April to both Recommended and Preview package subscription lines in Sophos Update Manager (SUM).

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent