Sophos Anti-Virus for Linux/Unix: Phone-home data FAQs

  • Article ID: 121214
  • Rating:
  • 2 customers rated this article 3.5 out of 6
  • Updated: 11 Dec 2015

As part of the version 9.7 release of Sophos Anti-Virus for Linux and Unix we are adding the capability for the product to ‘phone-home’ some product and platform details. This will allow Sophos to optimise the product and improve our internal testing, with the overall aim being to improve the product and user experience.

The default option on installation is for the product to phone-home. We understand some customers may wish to turn this off, however Sophos would ask you to leave this option on to allow us to improve the product. Phone-home can be turned off at any time by running the following command:

/opt/sophos-av/bin/savconfig set DisableFeedback true

The product will ‘phone home’ once per week on a random interval of 6 days plus a random interval within 2 days, to avoid multiple machines attempting to phone home at the same time.
The data sent will be an encrypted file of 1.6 Kb – 2.6 Kb in size to a write only Sophos secure location, and the raw data will be removed within 3 months. Only aggregated reports will persist for longer than that time period.

Which versions of Sophos Anti-virus does this apply to?

This applies to Sophos Anti-Virus for Linux and Unix version 9.7 and above.

What data are Sophos gathering?

Sophos are gathering data on 5 key areas:

  • Sophos Information – version of SAV and hashed data to avoid duplication
  • System Information – OS, Kernel, architecture, distribution
  • On-Access Information – Fanotify vs Talpa and which on-access options are in use
  • SAV Configuration Information – If Web-UI, e-mail or management is being used etc…
  • Server Type Information – The applications in use on this server

Why are Sophos gathering this data?

To better understand how our customers are using the features of the product we deliver.

This data will allow us to improve our testing of the product based on actual customer usage, optimise the product, and look to add new features based on how customers are using the existing feature set.

How is this data being used?

The data will be aggregated into a set of reports which we can use over time to assess the uptake of features, distributions, and new product versions.

Can you use this data to identify people/machines?

No – there is no mechanism in place to allow any trace-back to specific machines or customers. All data is formed into aggregated reports and the raw data is deleted within 3 months of receipt.

Will this data be passed along to other parties?

No! This data is being used for improving the Linux/Unix products internally to Sophos, only the Sophos development team will have access to this data. All data is encrypted before being sent to Sophos, and only the development team can decrypt and use this data.

Full details of the data being collected is shown in the table below:

Data Description Data summary
SAV for Linux product and version Version number of SAV for Linux installed
Customer ID A hash of the customer identifier to avoid data duplication
Machine ID A hash of the machine ID reported
OS Name Linux or Unix
Kernel Version The version of the Linux kernel running on the system
Architecture Hardware architecture and processor type, x86, i386, x64, IA64, ppc etc…
Distro Information Distribution ID (e.g. Ubuntu)
Distribution release (e.g. 12.04)
Distribution Codename (e.g. precise)
Distribution Description ( e.g. Ubuntu 12.04.4 LTS)
Time Local time on the system (to avoid duplication)
Time-Zone Time-Zone to identify geographic spread of Linux/Unix usage
System Memory Total Memory in use on the system
On-Access Enabled True/False is the customer using on-access scanning
On-Access Method Which On-Access method is in use – FANotify/Talpa
On-Access Open True/False is on-access checking on file open
On-Access disinfect/cleanup True/False is clean-up in use?
On-Access delete True/False is the product set to delete infected files on detection
Talpa Type Locally Compiled, Custom TBP, Talpa Binary Pack in use
Live-Protection Enabled True/False is Live-Protection (SXL) enabled
No. of On-Access Exclusions Integer giving the number of exclusions specified
Download all Distros True/False does the system download all binary packs for all distributions of Linux
No. of local scheduled scans Integer giving the number of scheduled scans specified
Update success/failure True/False for update success
Update config source Is the system using its Primary, Secondary or Backup update source
Extra Files configured True/False Is the extra files option in use
WebUI enabled True/False is the web-ui enabled
WebUI log size Size of the web-ui log to show if it is used
Reported through Proxy True/False was the Endpoint behind a proxy
E-mail Notifications enabled True/False is e-mail notification enabled
Last Updated Integer of the number of days since update
Managed True/False is the system managed by SEC
Firebox running True/False is firefox running on the system
Chrome running True/False is Chrome running on the system
MySQL running True/False is MySQL running on the system
X running True/False is X running on the system (graphical interface)
Postgres running True/False is postgres running on the system
Oracle DB running True/False is Oracle DB running on the system
Apache running True/False is Apache running on the system
Pure Message installed True/False is Pure message running on the system
SAVDI installed True/False is SAVDI running on the system
SELinux Enabled True/False is SELinux enabled on the system
VMType If it can be detected is the system running a Virtual Machine?
From version 9.8.3 and above the following data will also be collected:
Virus Data version
Version number of the Virus Data in use by SAV for Linux
Virus Engine version
Version number of the Virus Engine in use by SAV for Linux
CPU Type
CPU type and model
CPU Cores
Number of cores present in the CPU
The length of time the system has been running for between reboots
On-Access Archives
True/False is the product set to scan archives on-access
Update Policy
If the customer is using Preview, Recommended or Previous
Management Type
Which mangement system (SEC/Cloud) is in use
Regression Suite
Are the results being reported as part of our internal testing
True/False is AppArmor running on the system
True/False is CIFS running on the system
True/False is the CIFS Port open on the system
True/False is the NFS Port open on the system
True/False is NFSv3 in use on the system
True/False is NFSv4 in use on the system
True/False is the HTTPs port open on the system
True/False is the HTTPs port open on the system
Filesystem type for the root partition on the system
True/False is Tripwire running on the system
From version 9.11 and above the following additional data  will also be collected:
 License Information  Where updating from Sophos this gives the license in use
 System Update Sources  The update sources in use on the system
 Last Talpa Build Failure  Returns the error code for the last Talpa build failure, if applicable
 Containers  True/False are containers in use on the system
 Number of AppArmor Policies  The number of AppArmor policies in use
 AuditD installed  True/False is AuditD installed on the system
 Conntrack installed  True/False is Conntrack installed on the system
 IPTables installed  True/False is IPTables installed on the system
 Number of IPtables Rules  The number of firewall rules used by IPtables
 Perf installed  True/False is Perf installed on the system
 SystemTap installed  True/False is SystemTap installed on the system
 TCPFile installed  True/False is TCPFile installed on the system



What logging is generated for this feature?

Phone home logging is stored on the endpoint in:

What information is shown in the logs?

A successful log entry looks like this:

2014-08-19 09:59:22.724819: Preparing feedback data
2014-08-19 09:59:23.430645: Using custom feedback host: localhost:8083
2014-08-19 09:59:23.433375: Sending feedback
2014-08-19 09:59:23.433395: trying with noproxy: proxy (from environment)
2014-08-19 09:59:23.437320: Success

Do the logs reset/rotate?

No, feedback attempts on happen once per week and in each instance contain only 5 lines. It would take many years for the log to become sizable enough to require rotation.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent