Sophos first impressions

[Denis Beauchemin]

Hello,

The current discussion on virus scanners made me want to try Sophos.  So
I went to www.sophos.com and downloaded an evaluation version of their
antivirus software for Linux.

When the installation came I had to peek at sophos-autoupdate to see
that I needed to install it this way:
./install.sh -d /usr/local/Sophos -s ide -ni -v

I then ran sophos-autoupdate but it complained that it couldn't get the
version.  I then realized that the autoupdate script looks into the lib
directory for its vdl files that I installed into the ide directory.

I modified sophos-autoupdate to point it to the right directory for the
vdl files and all worked OK.

I then tried to run it on some files in my quarantine directory and it
said that no files were infected:
/usr/lib/MailScanner/sophos-wrapper */*
SWEEP virus detection utility
Version 3.65, January 2003 [Linux/Intel]
Includes detection for 79017 viruses, trojans and worms
Copyright (c) 1989,2003 Sophos Plc, www.sophos.com

System time 09:36:31, System date 22 January 2003

Quick Sweeping


5 files swept in 0 seconds.
No viruses were discovered.
End of Sweep.


This is strange because McAfee says otherwise:
uvscan */*
/quarantaine/usherbrooke/20030122/h0M8vF827294/Love.scr
        Found the W32/Yaha.k virus !!!
/quarantaine/usherbrooke/20030122/h0M9XC832328/Best_Friend.scr
        Found the W32/Yaha.k virus !!!

Did I do something wrong with the installation?  I also tried to unzip
Sophos.366_ides.zip in the ide directory but it still didn't find any
virus in my test files.

I tested some other files and Sophos seems to detect Yaha.e but not
yaha.k...

>>> Virus 'W32/Klez-H' found in file courrier/20030122/h0M6eL810031/height.scr
>>> Virus 'W32/Yaha-E' found in file courrier/20030122/h0M7DW814236/screensaverforu.scr

Is Sophos really good or is it lagging in virus definition?

Denis
-- 
Denis Beauchemin, analyste
Université de Sherbrooke, S.T.I.
T: 819.821.8000x2252 F: 819.821.8045