Endpoint Protection

 View Only

SAV for Linux Scanning Best Practices: A (Somewhat) Illustrated Guide 

Jul 02, 2012 07:03 PM

"AntiVirus?  I don't need any AntiVirus, I'm running Linux!"

Sound familiar?  That's what Mac users used to say, before the emergence of  FakeAV targetting Macs, OSX.Macontrol, OSX.Flashback,  OSX.Sabpab and the rest.  AntiVirus software- like Symantec AntiVirus for Linux- is necessary on a Linux computer, too.  There are more than one hundred threats that target Linux specifically as well as threats that can affect specifc software components regardless of what platfrom they are running on.

And, of course a Linux file server can host infected files or threats that target Windows or Macintosh computers.  Running AV on the Linux file server can stop those before they spread.

More info can be found in the article:

Do we really need a Antivirus for Linux


SEP 12.1 RU5 introduced a managed SEP for Linux client in September 2014.  Details can be found in New fixes and features in Symantec Endpoint Protection and Network Access Control 12.1.5 and Symantec Endpoint Protection 12.1.5 for Linux Client Guide. The use of this new, managed SEPFL client is highly recommended over the legacy SAVFL client.


The Importance of Auto-Protect

My first and best piece of advice: consider Auto-Protect vital!   Real-time AV protection (as opposed to relying upon manual or scheduled scans) can detect threats and block them when first they try to get onto a Linux box.

SAV for Linux's Auto-Protect is enabled for many popular kernals immediately upon install.  For other kernels, it is necessary to compile your own AP modules.  The benefit is definitely worth the trouble.  Here are a couple articles on how to build your own:

Guide to building AutoProtect kernel modules for Symantec AntiVirus for Linux 1.0
Article URL http://www.symantec.com/docs/TECH132773 

Symantec AntiVirus for Linux: How to Compile Auto-Protect Kernel Modules under Ubuntu
Article URL http://www.symantec.com/docs/TECH95496 

How to Compile and Install Auto-Protect Kernel Modules for use in your local SUSE Linux environment
Article URL http://www.symantec.com/docs/TECH97037 

How to check if AutoProtect is enabled?

Here is the command line to run from /opt/Symantec/symantec_antivirus

sudo ./sav info -a 

to enable it:

sudo ./sav autoprotect -e

to disable it:

sudo ./sav autoprotect -d


OK!  I have installed SAV for Linux.  What should be scanned?

SAV for Linux (commonly abbreviated SAVFL) is configured by default for highest security- not performance. Creating certain exclusions will allow SAVFL to perform more efficiently and shorten the amount of time it takes to complete a scheduled scan or manual scan.  (Using default settings, a full scheduled scan of the whole volume structure with SAVFL can require a day or more to complete, even for a small hard drive.)

One of Symantec's Linux experts shares this advice:

"A big performance hit can be AutoProtect's scanning of compressed files; disable that feature as a first step when troubleshooting performance problems. If scanning of compressed files is required by your security profile, do it selectively via manual or scheduled scans during off-peak hours."

"As with our other AV products, you should exclude other large archival formats: mail stores, databases, et al… these can be proprietary and in some case may be more suitably handled by a different security product, i.e. mail security for a mail server."

It is also recommended to exclude the following directories from scanning:

  • /sys
  • /proc


How to create exclusions?

The following articles contain all the necessary steps:

How to configure scanning of compressed files in Symantec AntiVirus for Linux
Article URL http://www.symantec.com/docs/TECH102882

Symantec AntiVirus for Linux: How to Configure Scan Exclusions from the Command Line Interface
Article URL http://www.symantec.com/docs/TECH95274

How to add Folder Exclusion for autoprotect, manual and weekly scans in Symantec Antivirus for Linux.
Article URL http://www.symantec.com/docs/TECH123497 

Creating an exclusion for a directory (for instance, /home/mick) will exclude all subdirectories (/home/mick/projects, /home/mick/Desktop and everything else under /home/mick -- be careful not to exclude too much!)


How to test if SAVFL is Scanning what I want it to Scan? 

Download the eicar test file!  Though it is completely harmless, SAVFL will detect this file and create an entry in the logs (and display a pop-up, for users who have installed SAVFL's GUI).

  1. disable autoprotect
  2. download the eicar.com file into the desired directory
  3. then re-enable autoprotect or initiate a scan.

Try to copy that eicar file and SAVFL should either detect it or (if there is an exclusion created successfully) not.

To initiate a manual scan of the home directory from /opt/Symantec/symantec_antivirus, here's the correct command line: 
sudo ./sav manualscan -s /home


Hey!  I excluded that directory, and SAVFL is still scanning it-?

In SAVFL, exclusions are set up in different places for manual scans, scheduled scans and AutoProtect.  Creating one exclusion will not automatically cover all types of scan.


If this is an Illustrated Guide, where are all the illustrations-?

Why not start up your own SAVFL and see how it looks on your Linux machine?  &: )

If there is sufficient interest, I will create a Part 2 with detailed command-lines and examples.


Many thanks for reading!  Please do leave comments, below, if you find this article helpful or unhelpful. 

1 Favorited
0 Files

Tags and Keywords


May 25, 2017 02:23 PM

I would like to know if its ok to exclude jar files as well. 


May 24, 2017 08:28 AM

So what is the 2017 version of this? On a linux server where we have java web apps running (jboss, tomcat, stand alone drop wizard) what are the file extnetion and folders that we can exclude?


Is it okay to exclude jar files? Known jar files?

Oct 17, 2014 11:28 AM


The enterprise version of Symantec Endpoint Protection now includes the Symantec Endpoint Protection client for Linux. The Symantec Endpoint Protection client for Linux replaces the Symantec AntiVirus client for Linux and supports a greater range of distributions and kernels. Added distributions include Red Hat Enterprise Linux Server (RHEL) 6.5 and CentOS 6.5

SEP for Linux clients can now be managed by an RU5 SEPM, or later. Configuration enhancements have been made to the SEPM to allow policy creation for managed Linux clients. This includes AV policy settings, centralized exceptions, and LiveUpdate settings. The SEPM also features enhanced reporting for Linux clients, including the SEP client version, host OS details, and hardware details.

Can refer this article: https://www-secure.symantec.com/connect/articles/how-install-symantec-endpoint-protection-1215-ru5-linux-operating-system

Sep 12, 2013 02:04 PM

Love the article.

Jun 05, 2013 05:20 AM

Appreciate Mick to Make Such Article.yes

May 30, 2013 04:39 AM

私はそのスマートでしたい!  &: )

May 29, 2013 10:57 PM

Awesome pal...

May 22, 2013 03:28 AM

lol, did you wrote that article Mick :-)

May 21, 2013 05:39 AM

Addign a link to an overview of SAVFL in Japanese:

Symantec AntiVirus for Linux について

Mar 08, 2013 02:10 AM

Part 4 is  now available...

SAV for Linux: A (Somewhat) Illustrated Guide Part 4: SAVFL Reporter


Feb 26, 2013 07:00 AM

Nice one!!! thumps up....

Feb 05, 2013 06:47 PM

thank  you for your efforts Mick !

Feb 05, 2013 04:11 PM

Thanks for putting all this info here! It really helps!


Feb 03, 2013 05:38 PM

Good work Mick..all 3 articles you've posted will be handy for anyone working on SAVFL..worth bookmarking.

Jan 24, 2013 05:13 AM

Thumbs up for this and the whole series...good job, thanks.

Jan 24, 2013 04:41 AM

Readers of this artiocle may also be interested in....

SAV for Linux: A (Somewhat) Illustrated Guide Part 3

Jan 12, 2013 07:05 AM

I confirm that SAV for Linux is able to detect Microsoft Windows-specific viruses/malware/trojans. I tested it today against a few files containing known Windows-specific malware/viruses/trojans.

However I am unable to test whether SAV for Linux is able to detect and remove Linux-specific viruses/malware/trojans as I am unable to get hold of the latter for testing.

P.S.: I am using Ubuntu 12.10, kernel,64 bit, US English with SAV for Linux version You will have to generate your own "Autoprotect" kernel modules.

Jan 12, 2013 07:03 AM

For Debian and Ubuntu users, if you are in the home directory and the file that you wish to manually scan is located in the same directory, the command that you need to enter after a terminal window is opened is:

sudo /opt/Symantec/symantec_antivirus/sav manualscan -s filename

On the other hand if you are in the /opt/Symantec/symantec_antivirus directory and you wish to manually scan a file located in the home director, the command is the following:

sudo ./sav manualscan -s /home/username/filename

Jan 02, 2013 05:54 AM

Really helpfull

Jan 02, 2013 05:45 AM

Amazing Artical.......Mick2009 wink


Jan 02, 2013 04:13 AM

Readers of this article may also be interested in its follow-up:

SAV for Linux: A (Somewhat) Illustrated Guide Part 2

Nov 05, 2012 10:40 AM

Thumbs up !

Aug 28, 2012 05:42 AM

Great resume Mick, very helpful.

Related Entries and Links

No Related Resource entered.