As part of the version 9.7 release of Sophos Anti-Virus for Linux and Unix we are adding the capability for the product to ‘phone-home’ some product and platform details. This will allow Sophos to optimise the product and improve our internal testing, with the overall aim being to improve the product and user experience.
The default option on installation is for the product to phone-home. We understand some customers may wish to turn this off, however Sophos would ask you to leave this option on to allow us to improve the product. Phone-home can be turned off at any time by running the following command:
/opt/sophos-av/bin/savconfig set DisableFeedback true
The product will ‘phone home’ once per week on a random interval of 6 days plus a random interval within 2 days, to avoid multiple machines attempting to phone home at the same time.
The data sent will be an encrypted file of 1.6 Kb – 2.6 Kb in size to a write only Sophos secure location, and the raw data will be removed within 3 months. Only aggregated reports will persist for longer than that time period.
Which versions of Sophos Anti-virus does this apply to?
This applies to Sophos Anti-Virus for Linux and Unix version 9.7 and above.
What data are Sophos gathering?
Sophos are gathering data on 5 key areas:
- Sophos Information – version of SAV and hashed data to avoid duplication
- System Information – OS, Kernel, architecture, distribution
- On-Access Information – Fanotify vs Talpa and which on-access options are in use
- SAV Configuration Information – If Web-UI, e-mail or management is being used etc…
- Server Type Information – The applications in use on this server
Why are Sophos gathering this data?
To better understand how our customers are using the features of the product we deliver.
This data will allow us to improve our testing of the product based on actual customer usage, optimise the product, and look to add new features based on how customers are using the existing feature set.
How is this data being used?
The data will be aggregated into a set of reports which we can use over time to assess the uptake of features, distributions, and new product versions.
Can you use this data to identify people/machines?
No – there is no mechanism in place to allow any trace-back to specific machines or customers. All data is formed into aggregated reports and the raw data is deleted within 3 months of receipt.
Will this data be passed along to other parties?
No! This data is being used for improving the Linux/Unix products internally to Sophos, only the Sophos development team will have access to this data. All data is encrypted before being sent to Sophos, and only the development team can decrypt and use this data.
Full details of the data being collected is shown in the table below:
|Data Description ||Data summary |
|SAV for Linux product and version ||Version number of SAV for Linux installed |
|Customer ID ||A hash of the customer identifier to avoid data duplication |
|Machine ID ||A hash of the machine ID reported |
|OS Name ||Linux or Unix |
|Kernel Version ||The version of the Linux kernel running on the system |
|Architecture ||Hardware architecture and processor type, x86, i386, x64, IA64, ppc etc… |
|Distro Information ||Distribution ID (e.g. Ubuntu) |
Distribution release (e.g. 12.04)
Distribution Codename (e.g. precise)
Distribution Description ( e.g. Ubuntu 12.04.4 LTS)
|Time ||Local time on the system (to avoid duplication) |
|Time-Zone ||Time-Zone to identify geographic spread of Linux/Unix usage |
|System Memory ||Total Memory in use on the system |
|On-Access Enabled ||True/False is the customer using on-access scanning |
|On-Access Method ||Which On-Access method is in use – FANotify/Talpa |
|On-Access Open ||True/False is on-access checking on file open |
|On-Access disinfect/cleanup ||True/False is clean-up in use? |
|On-Access delete ||True/False is the product set to delete infected files on detection |
|Talpa Type ||Locally Compiled, Custom TBP, Talpa Binary Pack in use |
|Live-Protection Enabled ||True/False is Live-Protection (SXL) enabled |
|No. of On-Access Exclusions ||Integer giving the number of exclusions specified |
|Download all Distros ||True/False does the system download all binary packs for all distributions of Linux |
|No. of local scheduled scans ||Integer giving the number of scheduled scans specified |
|Update success/failure ||True/False for update success |
|Update config source ||Is the system using its Primary, Secondary or Backup update source |
|Extra Files configured ||True/False Is the extra files option in use |
|WebUI enabled ||True/False is the web-ui enabled |
|WebUI log size ||Size of the web-ui log to show if it is used |
|Reported through Proxy ||True/False was the Endpoint behind a proxy |
|E-mail Notifications enabled ||True/False is e-mail notification enabled |
|Last Updated ||Integer of the number of days since update |
|Managed ||True/False is the system managed by SEC |
|Firebox running ||True/False is firefox running on the system |
|Chrome running ||True/False is Chrome running on the system |
|MySQL running ||True/False is MySQL running on the system |
|X running ||True/False is X running on the system (graphical interface) |
|Postgres running ||True/False is postgres running on the system |
|Oracle DB running ||True/False is Oracle DB running on the system |
|Apache running ||True/False is Apache running on the system |
|Pure Message installed ||True/False is Pure message running on the system |
|SAVDI installed ||True/False is SAVDI running on the system |
|SELinux Enabled ||True/False is SELinux enabled on the system |
|VMType ||If it can be detected is the system running a Virtual Machine? |
|From version 9.8.3 and above the following data will also be collected: |
|Virus Data version |
|Version number of the Virus Data in use by SAV for Linux |
|Virus Engine version |
|Version number of the Virus Engine in use by SAV for Linux |
|CPU Type |
|CPU type and model |
|CPU Cores |
|Number of cores present in the CPU |
|The length of time the system has been running for between reboots |
|On-Access Archives |
|True/False is the product set to scan archives on-access |
|Update Policy |
|If the customer is using Preview, Recommended or Previous |
|Management Type |
|Which mangement system (SEC/Cloud) is in use |
|Regression Suite |
|Are the results being reported as part of our internal testing |
|True/False is AppArmor running on the system |
|True/False is CIFS running on the system |
|True/False is the CIFS Port open on the system |
|True/False is the NFS Port open on the system |
|True/False is NFSv3 in use on the system |
|True/False is NFSv4 in use on the system |
|True/False is the HTTPs port open on the system |
|True/False is the HTTPs port open on the system |
|Filesystem type for the root partition on the system |
|True/False is Tripwire running on the system |
| || |
|From version 9.11 and above the following additional data will also be collected: |
| License Information || Where updating from Sophos this gives the license in use |
| System Update Sources || The update sources in use on the system |
| Last Talpa Build Failure || Returns the error code for the last Talpa build failure, if applicable |
| Containers || True/False are containers in use on the system |
| Number of AppArmor Policies || The number of AppArmor policies in use |
| AuditD installed || True/False is AuditD installed on the system |
| Conntrack installed || True/False is Conntrack installed on the system |
| IPTables installed || True/False is IPTables installed on the system |
| Number of IPtables Rules || The number of firewall rules used by IPtables |
| Perf installed || True/False is Perf installed on the system |
| SystemTap installed || True/False is SystemTap installed on the system |
| TCPFile installed || True/False is TCPFile installed on the system |
| || |
What logging is generated for this feature?
Phone home logging is stored on the endpoint in:
What information is shown in the logs?
A successful log entry looks like this:
2014-08-19 09:59:22.724819: Preparing feedback data
2014-08-19 09:59:23.430645: Using custom feedback host: localhost:8083
2014-08-19 09:59:23.433375: Sending feedback
2014-08-19 09:59:23.433395: trying with noproxy: proxy (from environment)
2014-08-19 09:59:23.437320: Success
Do the logs reset/rotate?
No, feedback attempts on happen once per week and in each instance contain only 5 lines. It would take many years for the log to become sizable enough to require rotation.