These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

UNIX03/Sophie - Quick Attachment Scanning

Classnotes | UNIX03 | RecentChanges | Preferences

Sophie is a daemon which uses libsavi, the Sophos Anti Virus Interface library distributed by Sophos. You can obtain Sophie from here:

On startup, Sophie intializes the SAVI library and loads the virus identities into memory. It then opens a local UNIX socket and waits for connections. Other applications make connections to this socket and pass data into Sophie informing of a path to scan. Because the virus identities are already loaded into RAM, scanning of this file is very fast. Since Sophie does not worry about what to do with this file afterward (delete it, quarantine it, etc.), once it has determined if the file is viral or not, it once again sits and waits for another path to scan.

Sophie was not intended to replace Sweep. Instead, it simply acts as a quick litmus test as to whether a given file is viral or not. (Well, it's quicker than Sweep, but if the file is large it will still take a while.)

All of this means that there will be significantly less overhead for running Sophie over Sweep. With Sweep, each time it is run it will have to reload the IDE files. It will also have to know what to do with a viral file if found. This means that it is hard to kludge it into a mail gateway such as ours. It would take an already resource intensive setup and make it even more intensive. By adding Sophie to the mix, we only slightly increase the workload that the system has to do to scan a message.

Configuring Sophie

There are two configuration files for Sophie: sophie.cfg and sophie.savi.


This is the main configuration file for Sophie. Many of the items in this file will be reloaded by Sophie when it is send a hang-up (SIGHUP) signal, others will require a full reload. Inside the source archive for Sophie is an example file (under 'etc'). Let's take a quick look at some of the options it has:

 # Configuration file with SAVI options
 # Change requires: RELOAD
 saviconfig: /etc/sophie.savi

This points Sophie to the configuration file for the SAVI library settings.

 # Maximum (allowed) number of concurrent processes
 # 0 stands for 'no limit'
 # Change requires: RELOAD
 maxproc: 20

This is the maximum number of processes Sophie will be allowed to spawn. Setting this to 0 may allow for a DoS attack.

 # Location of socket file
 # Change requires: RESTART
 socketfile: /var/run/sophie

This is the UNIX socket file which clients can connect to. If you do not change this, be sure to make a note of it as Amavisd will need it.

 # User to run Sophie as
 # Change requires: RESTART
 user: mail

 # Group to run Sophie as
 # Change requires: RESTART
 group: mail

These are the user and group to run Sophie as. It would generally be safe to run this under a parent group for both Sophos and Sophie.

There are many other options, which have reasonable explanations in the basic config file included with Sophie.


This is the file which defines how Sophie initializes the SAVI library. Chances are you will not want to change any of these unless you know what you are doing (or, unless I tell you to ;-)

Classnotes | UNIX03 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited October 4, 2003 2:07 am (diff)
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.