Linux-based Sophos Intercept X antivirus scan stick

January 2023 (republished in March 2026)

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

This post was written in 2023 and has not been updated since (up to fixing some typos).

Here you find installation and usage instructions for a bootable USB stick with Debian GNU/Linux and Sophos Intercept X antivirus component for scanning potentially infected systems. If you’re in hurry, scroll down to the instructions.

Although steps for creating the stick aren’t too complicated, up to some partial solutions scattered over several websites and forum posts there seem to be no up-to-date step-by-step instructions out there. So, here they are.

Why do I need an antivirus stick?

As a linux user you do not need an antivirus stick, especially no Sophos antivirus stick. Linux ships with its own anti-malware tools, like chkrootkit or Rootkit Hunter. But from the instructions below you may learn how to create a bootable live system on an USB stick without using a ready-made image (which usually does not support installing software into the live system in a persistent way).

Windows-based organizations’ most likely reaction to security incidents is “We need more antivirus software!”. Soon a new/next layer of snake oil (German Wikipedia on snake oil is more informative) gets installed and, of course, everything has to be covered by this layer, including non-Windows systems, which by no means had been involved in the incident. For Linux users the question arises how to prevent the IT department from compromising my system by installing an intransparent huge binary blob permanently running as root in the background?

A nowadays very common antivirus software working on Linux, macOS, and Windows is the cloud managed Sophos Intercept X comming in different versions and licensing models. It’s a spyware including an antivirus component. IT departments like to install it on all machines from backbone servers down to laptops, because then they can monitor their network und user behavior via webbrowser in the Sophos cloud (product name: Sophos Central). Note that I do not link the products here, because Sophos product sites are full of marketing blah-blah without relevant technical information. Below I’ll provide links to technical documentation where appropriate.

To check a potentially compromised system without installing the Sophos spyware one may install the spyware on a bootable USB stick. In the stick system mount your disks readonly, check them, and… done. Hopefully this procedure suffices to calm down your IT department and let you reconnect with your organization’s intranet.

Why do I call it ‘snake oil’?

In the non-Windows community antivirus tools are denoted snake oil because in the best case they do not harm the system. In a well managed system or network they do not add any means of security (except for felt security). Usually they give rise to new security problems. Consider the following points when thinking about installing antivirus products:

Your operating system constantly faces security issues? You do not trust your operating system’s manufacturer? Why should your antivirus software be more secure? Why sould you trust its manufacturer?
Antivirus software wants to check each detail of your system. It runs with maximum permissions. Thus, it may cause maximum damage in case of security issues (and antivirus software has lots of security issues).
Do you want to outsource responsibility and know-how to some third party instead of understanding what’s going on in your system or network? Subscription prices will go up once your network’s well-being depends on a single vendor (vendor lock-in).

Is Sophos Intercept X snake oil, too? Yes! At least the Linux version of its Intercept X Advanced with XDR variant, called Sophos Protection for Linux. It’s a buggy piece of spyware. The uninstaller isn’t working properly (does not remove user groups created by and for Sophos components, does not remove some files aso.). Documentation is incomplete (no description of error codes). It disables important Linux security features (auditd). It does not allow for on-demand scans (details below). Some installer options do not work properly (e.g., the install path option, which results in a non-functional installation).

Usually I would file some bug reports and feature requests here, but I do not want to support business models based on fear, disinformation, and mass surveillance.

System requirements speak for themselves: 2 GB of memory, 2 GB of disk space, 5 GB for local surveillance data (detailed machine usage of past 90 days). See system requirements and Sophos Central admin docs for details. In addition, there will be a non-negligible amount of network traffic and delays in file operations (Sophos and any other such software locally intercept all file operations for malware detection).

Install instructions

Warning: Do not follow these instructions blindly. Read the docs if you don’t know what will happen. Tiny variations of the commands listed here may erase all your data!

You need two USB sticks of at least 4 GB capacity. One is for the Debian installer, the other will contain the installed system.

1. Download Debian installer

Get current Debian’s stable or testing installer image from Debian download page. The CD/DVD iso image works for USB sticks, too. Head for the netinst version. This image fits onto a USB stick and loads required components from the internet during installation.

2. Copy installer to USB stick

Copy instructions for Linux and Windows are provided in the Debian FAQ. Here are the steps for Linux:

Open a terminal and navigate to the directory containing the downloaded image (use cd DIRNAME to enter a directory and cd .. to leave it, ls lists all directories).
Connect your stick to the system, but do NOT mount it.
Run sudo fdisk -l to get a list of all disks (including USB sticks) connected to your system.
Get the device name of your stick. Most likely it’s /dev/sda. Look at capacities and disk labels to find the correct one. If /dev/sda is a disk, then partitions on the disk are labeled /dev/sda0, /dev/sda1 aso. Important: Ensure (twice or more often) that you chose the right one, because the next step will erase all data an that disk. There’s no way to get your data back!
Run sudo cp your_debian_image.iso /dev/sda, where sda HAS TO BE REPLACED BY THE CORRECT DEVICE NAME.
Unplug the stick.

3. Boot from USB stick

Reconnect your stick to your computer. Then restart your machine and enter the BIOS/UEFI setup (usually ESC or F2 or DEL key immediately after power-on should do it; depends on your hardware). Select boot from USB or something similar. Maybe you have to navigate through several option lists to find boot device options.

Leaving the BIOS/UEFI setup should now boot your machine from USB. Debian installer should start within a few seconds.

4. Install Debian on USB stick

Connect your second USB stick (the one to which you want to install Debian).

Run Expert Install. Follow the instructions. Take care to choose the following options:

no root login,
one user with password (we only need one account),
use automatic partioning of a whole disk and CHOOSE THE RIGHT DISK (your USB stick),
don’t install desktop environments like GNOME or KDE (we don’t need them and start-up will be terribly slow from USB stick).

5. Test Debian

Reboot your machine and boot from the freshly installed USB stick (again via BIOS/UEFI setup). Login to the account created during installation. Shut down the machine with sudo shutdown now.

6. Copy Sophos installer to the USB stick

Boot from internal disk and copy the Sophos installer to the stick. A good location is /home/username/.

7. Install Sophos

Reboot your machine and boot from USB stick. Make the installer script executable via chmod 700 SophosLinuxSetup.sh. Then run the installer as follows:

sudo ./SophosLinuxSetup.sh --products=antivirus

This will install something, but (at least for me) not the antivirus component.

Run the installer a second time with the same arguments. Now the antivirus component gets installed.

If you omit the --products argument, more Sophos components will be installed. And those components prevent on-demand scans with the antivirus component (see Sophos docs).

8. Test Sophos installation

Now run sudo avscanner --help. This should print some information about the scanner’s command line arguments. Have a look at corresponding Sophos docs, too.

Usage instructions

To check a potentially compromised system boot the machine with your USB stick. Then list all disks with

sudo fdisk -l

Mount the disk to be scanned read-only:

sudo mount -o ro,noload /dev/nvme0n1 /media/disk

Here /dev/nvme0n1 is the disk to scan (from fdisk output). The ro option mounts read-only, so the antivirus snake oil can’t modify your data. The load option prevents journaling file systems from replaying the journal (that is, modifying files in case of unclean shutdown). Can be regarded as a more strict form of read-only. The /media/disk path then contains the disk’s data. Maybe you have to create this path before first scan (sudo mkdir /media/disk).

Now run Sophos’ antivirus component:

sudo avscanner /media/disk

If finished unmount the disk with

sudo umount /media/disk

Go on to the next disk (mount aso.) or shut down the system with sudo shutdown now.

For real paranoids

Scanning requires no network connection. Thus, no data is sent to Sophos. But data might be collected on the USB stick and sent to Sophos if the stick is used for booting a machine with network connection later on. To cope with such data leaks copy the stick image after installation (but before first use) to a file. Then reset the stick after each scan by copying the clean freshly installed image to the stick (like for copying the Debian installer to the stick).

From time to time you should connect the stick system to the internet to let the auto-updater do its work.