It seems docker and containers are becoming the new default standard for simple, rapid and consistent deployment. I was asked to deploy out open maintenance recently at work and decided to look into the simplest options to deploy it out. Sophos Home offers clear and easy to understand subscription pricing. We offer one- and two-year pricing options, and discounts for continuing customers. Renewals are done automatically at the end of the subscription period, with clear communication via email about upcoming renewal events. Overview After a recent Sophos Anti-Virus configuration change, either locally (on the computer) or centrally (Sophos Enterprise Console or Sophos Central Admin), the Sophos process or service consumes a higher than expected percentage of CPU resources and increased disk activity.

This article details the addition of support for Docker containers within Sophos Antivirus for Linux.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos Anti-Virus for Linux

As containers are becoming more widely deployed on Linux Servers, the need for security is paramount to ensure any running containers have not been injected with malware.

Sophos Antivirus for Linux has been enhanced to improve detection of malware in Docker containers using on-access scanning and to improve the way in which detections in Docker containers are presented within the Sophos management consoles. Now, when a threat is identified within a Docker container, the threat report will state the path and hostname of the container. This will be displayed as (container hostname=<hostname>).

Threat detection within Docker containers has been available since the following versions of Sophos Antivirus for Linux:

• SAV for Linux version 9.13.0+
• SAV for Linux version 10.1.1+ (Sophos Central only)

For Sophos Antivirus for Linux to detect threats in Docker containers, the Talpa on-access driver must be used. The FAnotify kernel interface does not support scanning inside containers.

A recent, supported version of Docker will need to be installed and configured, preferably from the operating system vendor’s package repositories.

The Sophos Antivirus for Linux Docker scanning functionality is available on Supported releases of the following platforms:

Red Hat, Ubuntu, CentOS, SUSE

For more information on Sophos Anti-virus for Linux see: supported platforms and operating systems

From the Docker web site, the following anti-virus consideration is recommended:

When antivirus software scans files used by Docker, these files may be locked in a way that causes Docker commands to hang.

One way to reduce these problems is to add the Docker data directory (/var/lib/docker on Linux or $Env:ProgramData on Windows Server) to the antivirus’s exclusion list. However, this comes with the trade-off that viruses or malware in Docker images, writable layers of containers, or volumes are not detected. If you do choose to exclude Docker’s data directory from background virus scanning, you may want to schedule a recurring task that stops Docker, scans the data directory, and restarts Docker.

If you’ve spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Related:

Find out how Sophos Cloud Optix protects your container images.

A Docker container image is an unchangeable file that contains the source code, libraries, dependencies, tools, and other files needed for an application to run. Docker containers are based on Docker images, which can be stored in different types of registry.

Bitwarden for operation. Bitwarden Vault Security. Since all of your data is fully encrypted before it ever leaves your device, only you have access to it. Not even the team at Bitwarden can read your data, even if we wanted to. Your data is sealed with end-to-end AES-256 bit encryption, salted hashing, and PBKDF2 SHA-256. Learn more about Bitwarden security. Re: Bitwarden - I have been using Bitwarden on 4 other browsers and it works like a charm, couldn't be happier. However, when I try to load it in Opera I get: An error occurred when installing the extension: Download interrupted with reason: FILESECURITYCHECKFAILED. I can find no way to tell Opera about this. I won't use a browser without it. Bitwarden Browser Extensions integrate password management directly into your favorite browser. Download a Bitwarden Browser Extension from your browser’s marketplace or app store, or from the Bitwarden Downloads page. Browser Extensions are available for: Google Chrome; Mozilla Firefox; Opera; Microsoft Edge; Vivaldi; Brave; Tor Browser; Safari. Bitwarden, the open source password manager, makes it easy to generate and store unique passwords for any browser or device. Create your free account on the platform with end-to-end encryption and flexible integration options for you or your business.

Sophos Cloud Optix scans container images for operating system vulnerabilities to prevent threats from being introduced into your production environment. It can scan container images in the following locations:

• Amazon Elastic Container Registry (ECR).
• Microsoft Azure Container Registry (ACR).
• Docker Hub registries.
• IaC environments (Bitbucket and GitHub).
• Images in your build pipeline.

In Sophos Cloud Optix, Container Images lists the images and registries linked to Sophos Cloud Optix. You can see details of scans performed, images queued for scanning, and vulnerabilities detected. You can filter the list and export it in CSV format.

Click Images with fix available to identify images with known vulnerabilities that you can fix by installing updates. Click an image name for details of the relevant update.

Running image scans

Depending on the type of image and repository, scans are controlled in the following ways:

• New container images in ECR and ACR registries, and updates to existing images, are found and submitted for scanning when Sophos Cloud Optix scans their parent AWS or Microsoft Azure environments. You can change scan frequency, and run scans manually.
• New container images in Docker Hub registries, and updates to existing images, are submitted for scanning hourly, by default. You can change scan frequency, and run scans manually.
• Container images identified in Dockerfile and Docker Compose files in your GitHub and Bitbucket environments are submitted for scanning each time you run a git push command.
• You can also submit images for scanning with the Sophos Cloud Optix REST API.

Each container image scanned by Sophos Cloud Optix counts as a cloud asset for licensing. You can see the list in Scanned Images.

How container image scanning works

Sophos Cloud Optix container image scanning is a Docker container analysis tool that automates image inspection.

Sophos Docker Container

When a container image is submitted to Sophos Cloud Optix, the service retrieves the image's metadata from the registry and pulls the image for analysis. Sophos Cloud Optix analyzes the image content (operating system packages, software libraries, and file content) and extracts metadata. This is checked with external security vulnerability data. The process is regularly repeated to ensure that image metadata is checked with up-to-date external data.

Images submitted for scanning queue for an analyzer. You can see an image's progress in Scan Queue.

When an image is submitted for scanning, its status changes its status changes from Queued to Sent for scanning and it's removed from Scan Queue within 24 hours. Images with the Invalid status are also removed within 24 hours.

Sophos Cloud Optix container image scanning uses regularly updated security vulnerability and package data from multiple sources, including:

• Security advisories from Linux distribution vendors for distribution-specific packages (Alpine Linux, CentOS, Debian, Oracle Linux, Red Hat Enterprise Linux, Ubuntu).
• Package repository information from RubyGems and npm.
• NIST National Vulnerability Database (NVD).

Sophos Cloud Optix updates vulnerability information multiple times per day and automatically updates vulnerability information for each container image in Scanned Images. This doesn't require repeat image scans.

Sophos Av Docker

If Sophos Cloud Optix sees that an image has changed after its initial scan, it's automatically submitted for re-scanning.