We've been seeing some false alarms with real time protection on some servers when they boot up. It seems to be a timing issue with the sav-rms and sav-protect systemd service files. If sav-rms.service starts before sav-protect.service, it will report that real time protection is disabled for a few minutes. I changed the After= line for sav-rms.service to include sav-protect.service and I don't see the false alarms any more.

Enterprises need File Integrity Monitoring on their Linux system files. This is a requirement for all systems requiring Continuous Monitoring (NIKST 800-137) which are all defense contractors, Government contractors, government agencies, and soon, all HIPAA covered entities.

Apparently the policy setting:
"Real-time scanning - Local files and network shares" that can be configured for:
on read
on write
only applies to Windows clients and not to Linux clients. On Linux you have to manually change the preference using eg:
/opt/sophos-av/bin/savconfig set TalpaOperations -- -open
to disable "on read"
But obviously:
1. This is not scallable
2. This makes the Linux Sophos AV impaired in terms of feature comparison to Windows
3. It's very problematic on eg. NFS servers where on open NEEDS to be disabled due to high CPU usage that sophos processes may spark.

ClamAV on a Linux Server uses /var/tmp/*.tmp/*.tmp to store email contents while scanning them, and the number of alerts from dubious contents can be high. As the *.tmp names are randomly generated, but start with ClamAV-*, it would be nice to exclude them and let ClamAV do it's work, then check the contents of the emails when they land in their final destination instead.

scheduled scans are still quite limited, as we can see here: https://www.sophos.com/en-us/support/knowledgebase/117346.aspx

One of the options we would like to see is being able to give the scheduled scan some reduced system priority / i.e. niceness, to limit the performance impact of scans: scheduled scans normally need not run at high priorities.

scheduled scans are still quite limited, as we can see here: https://www.sophos.com/en-us/support/knowledgebase/117346.aspx

One of the options we would like to see is being able to abort a running scheduled scan.

Please notify a running savdi about the performed pattern update by the savupdate process.
This is more a bug than a feature-request and should be implemented very easily, because the savdi daemon writes a pid-file and has already implemented a signal for this (kill -HUP <savdi pid>).
The implementation could be done in a few lines of code...

Allow us to add exclusions, especially to MTD, for websites/IP addresses in Linux. We have VMs in a cloud environment that are constantly talking to a monitoring host. Without those exclusions CPU usage is really high.

Instead of locking access to infected file, an option to move to quarantine would be beneficial for real-time scanning of some 3rd party product queue directories

When preparing a Linux installation package on SAV for Linux 9.12.3, attempting to specify an update URL in the form "https://server.example.com/sophos&quot; results in the message "The update source address must be a website or an absolute directory path." Keeping the same URL but removing the S, i.e. "http://server.example.com/sophos&quot; works as expected.

Please enhance the tool to allow HTTPS locations so authentication passwords aren't sent in the clear.

One of the options we would like to see is that the exclusions specified with the exclude keyword can include quotes like "\ " to specify a space in a path / file specification. Currently, we have to workaround by putting asterisks at those character positions.

scheduled scans are still quite limited, as we can see here: https://www.sophos.com/en-us/support/knowledgebase/117346.aspx

One of the options we would like to see is that we would like to control the list of Default extensions that is implicitely active: there is only a parameter called "excludeExtension"

We would like to see HIPS functionality added to the Sophos AntiVirus Linux client.