|[ SOPHIE ]|
|Sourceforge Project Webpage --- Sourceforge Project Summary|
Current V3 release: 3.04rc2 ( tar.bz2 / tar.gz )
Current V1 release: 1.44 ( tar.bz2 / tar.gz )
[01-Jun-2005] Beginning transition to Sourceforge.net.
[28-Jan-2004] Sophie 3.04rc2 released. Few bugfixes. Please read Changes file.
[21-Nov-2003] Sophie 3.04rc1 released. Major bugfixes.
[09-Jun-2003] Sophie 3.03 released. Minor bugfixes.
[10-May-2003] Sophie 1.44 released. Major bugfix. Upgrade.
[10-May-2003] Sophie 3.02 released. Major bugfix. Upgrade.
[29-Apr-2003] Sophie 3.01 released. Removed RH9/glibc23 fix. Didn't work.
[28-Apr-2003] Sophie 3.00 released. Major features, bugfixes. SAVI V3 support.
[21-Apr-2003] Sophie 1.43 released. Minor fixes.
[13-Aug-2001] Mailing list created. URL: http://www.vanja.com/list/listinfo.cgi/vtools. Virge/Sophie/Trophie will be discussed (if anyone subscribes, of course ;)
Sophie is a daemon which uses 'libsavi' library from Sophos anti virus vendor ( www.sophos.com ).
On startup, Sophie initializes SAVI (Sophos Anti-Virus Interface), loads virus patterns into memory, opens local UNIX domain socket, and waits for someone to connect and instructs it which path to scan. Since it is loaded in RAM, scanning is very fast. Of course, speed of scanning also depends on SAVI settings and size of the file.
How it works?
Sophie works in a very simple way.
Since virus patterns are always in memory, scanning is fast (fast in 'startup', not fast in 'execution' :) and takes much less resources. For one 'run', it probably doesn't make a difference if you will use Sophie of Sweep. However, if you have a program (local mail delivery agent, for example) that needs to scan every few seconds/minutes - things are way different.
The 'difference' I am talking about is not in scanning itself - when scanning is in progress, Sophie is little involved in it. Scanning speed depends on the SAVI setup, and on the size of the file being scanned (and if it is an archive, there might be hundreds, even thousands of files inside). However, the initialization of the engine is what count in this case.
For example, this is time measurement for scanning of file /var/tmp/Happy99.exe, by using sweep, and Sophie.
[root@x sock]# time --verbose sweep /var/tmp/Happy99.exe
SWEEP virus detection utility
Version 3.48, August 2001 [Linux/Intel]
>>> Virus 'W32/Ska-Happy99' found in file /var/tmp/Happy99.exe
Command exited with non-zero status 3
Command being timed: "sweep /var/tmp/Happy99.exe"
User time (seconds): 0.54
System time (seconds): 0.01
Percent of CPU this job got: 91%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:00.62
[root@x sock]# time --verbose ./scan_file /var/run/sophie /var/tmp/Happy99.exe
FILE INFECTED: [/var/tmp/Happy99.exe] (VIRUS: W32/Ska-Happy99)
Command being timed: "./scan_file /var/run/sophie /var/tmp/Happy99.exe"
User time (seconds): 0.00
System time (seconds): 0.00
Percent of CPU this job got: 0%
Elapsed (wall clock) time (h:mm:ss or m:ss): 0:00.02
The difference is quite big. Sophie does not need to reload the patterns (which are appx 1.8Mb, and are probably packed, so file needs to be unpacked), while Sweep does. The scan_file program only connected to /var/run/sophie socket, sent a filename, and got the response (with virus name). This is what Sophie was made for.
It is also very important to realize that Sophie is still being developed, and this is not the final 'look'. Some changes are also likely to happen to the response format (filename will probably be included in the response when virus is found) and to the logging feature (where something is logged, and what is logged). Also, it is possible that I will modify Sophie so that it doesn't stop after 1st virus is found, but scans/reports all files/viruses.
Latest V3 release is 3.04rc2 (28-Jan-2004)
Sophie is released under the GPL license.
sophie-3.02rc1.tar.bz2 ( PGP signature )
sophie-3.04rc2.tar.gz ( PGP signature )
Latest V1 release is 1.44 (10-May-2003)
Sophie is released under the GPL license.
sophie-1.44.tar.bz2 ( PGP signature )
sophie-1.44.tar.gz ( PGP signature )
Author: Vanja Hrustic <vanja at users.sourceforge.net>
Big "thank you" goes to Sophos, for releasing the docs for the API (more or less complete ;), and for releasing the SDK.
Philipp Gaschütz <philipp at corpex.de> f(Vanja:) for suggesting different (working... better... :) way of limiting number of processes in Sophie.
[ This page is best viewed with eyes ]