Sophos Anti-Virus for Linux / Unix: savscan / Scheduled scan comparison chart

  • Article ID: 117346
  • Updated: 18 Aug 2015

This chart compares the behaviour of advanced savscan options against the behaviour of a scheduled scan.

Known to apply to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Unix
Sophos Anti-Virus for Linux

Operating systems



savscan is the command-line scanner used in Sophos Anti-Virus for Linux version 7.  This utility contains many configurable options to change the behaviour of the scan.  If changing advanced options is required it is recommended to use 'cron' or other method to schedule a savscan, rather than using built-in scheduled scanning.

For full details of savscan options, see:  man savscan

Scheduled Scans

Scheduled scans contain a simplified number of options to allow for easy scan configuration.  These scans are controlled by the Sophos Anti-Virus daemon and can be locally scheduled or scheduled by Sophos Enterprise Console

For full details on how scheduled scans can be configured, see the following article:



savscan option
savscan default
scheduled scan behaviour
Write to log file
Logging is output to stdout and not logged to a file
Scheduled scans are logged to savd.log. 
SAV 7 - No verbose logging can be configured
SAV 9 - An individual log for each scan is created in /opt/sophos-av/log/
Infected items are not disinfected
Disinfection of infected files can be configured.
These options control the verbosity of savscan output.
savscan keeps silent (-s) and does not print scanned files.
The verbosity of logging cannot be configured.  Virus detection, errors, and scan summary are output to savd.log
 Ask for confirmation before disinfection/deletion
 savscan will ask for confirmation before taking action
 Scheduled scans will never ask for confirmation if configured to disinfect/delete
 Sound bell on virus detection
No bell is sounded on detection.  This option does not presently work with savscan, only with sweep.
 No bell is sounded on detection
 Scan all files
 Savscan uses an internal list of file types to scan
 All files are always scanned regardless of extension
 Recurse down directories
 savscan does recurse down directories by default
 scheduled scans always recurse down directories
 Remove infected files
 Infected items are not removed
Removal of infected files can be configured
 Use extended exit codes
 Extended return codes are not used
 Not applicable to scheduled scans
 Output version information
  Not applicable to scheduled scans  NO
 -maxinfobj=<n>  Maximum number of times to attempt to disinfect
 100  There is no limit to the number of disinfection attempts.
 -ext=<extension>  Scan additional filename extensions
 N/A  Not applicable to scheduled scans.  All file extensions are scanned
 -exclude  Exclude items from scanning
 No items are excluded
 Excluded files/directories can be configured
 -include  Include items in scanning
 N/A  Included files/directories can be configured
 Scan the object pointed to by symbolic links
 Symlinks are followed
 Symlinks are followed
 These options control whether the scan leaves the starting filesystem/computer
 savscan will not leave the starting filesystem/computer
 Types of device to be scanned can be configured.  The scan will leave the starting filesystem/computer when explicit 'include' options are used.
 Don't scan 'special' objects (/dev, /proc, /devices, etc)
 savscan will not scan special objects
 A scheduled scan will never scan special objects
 Prevent repitition of work due to symbolic links
 Backtrack protection is enabled
 Backtrack protection is enabled
 Preserve backtracking information for duration of this scan
 Backtracking information is preserved for duration of scan
 Backtracking information is preserved for duration of scan
 Examine files with an execute bit set
 files with x-bit are scanned
 files with x-bit are always scanned
 After scanning file, reset the access time
 atime is reset (ctime will change when a file is scanned)
 atime is NOT reset.
(atime will change when a file is scanned.
 Show details of file ownership and permissions when using -ns
 File details are not shown
 The verbosity of logging cannot be configured.
 Change file ownership and permissions of infected files
 Permissions are not altered
 Quarantine options are not available
 --args-file=<file>  Read command line arguments from file
 N/A  Does not apply to scheduled scan.  No arguments can be passed from file
 Abort scanning of files such as 'zip bombs'
 Scan of zip bombs will be aborted
 Scan of zip bombs are always aborted
 These options control whether bootsectors and mbrs are scanned
 Bootsectors and mbrs are not scanned
 Boot records are never scanned.
 -idedir=<dir>  Read IDEs from directory
 IDEs are loaded from the same directory as the virus data
 IDEs are always loaded from the same directory as the virus data
 Do full scan of files
 A quick scan of infectable file parts is done by default
 A quick scan of infectable file parts is always done by default.  However, full scan of files can be configured.

These options control file types which will be scanned.
N/A  The SAVI configuration defined in savconfig is used.
 Scan for adware/potentially unwanted applications
 Scan of adware/puas is disabled by default
 No scanning of adware/puas is done
 Scan fo suspicious files
 Scan of suspicious files is disabled by default
 No scanning of suspicious files is done
 Scan inside specific archive types
 Scanning of all archive types is disabled by default
 Scanning of individual archive types can not be configured
 -archive  Enable scanning of all archive types
 Scanning of all archive types is disabled by default  Whether all archive types are scanned  can be configured.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent