Sophos Anti-Rootkit: User Manual
Sophos Anti-Rootkit: User Manual
Sophos Anti-Rootkit: User Manual
user manual
Contents
1 About Sophos Anti-Rootkit......................................................................................................................3
2 System requirements.................................................................................................................................3
3 Install Sophos Anti-Rootkit......................................................................................................................3
4 Remove Sophos Anti-Rootkit...................................................................................................................4
5 About scanning for rootkits......................................................................................................................4
6 Run Sophos Anti-Rootkit from the command line.................................................................................4
7 Start Sophos Anti-Rootkit using the Windows interface........................................................................5
8 Scan for rootkits........................................................................................................................................5
9 Clean up rootkits......................................................................................................................................5
10 View results of rootkit cleanup...............................................................................................................6
11 Technical support....................................................................................................................................7
12 Copyright................................................................................................................................................7
2 System requirements
Sophos Anti-Rootkit is supported on the following operating systems:
Windows 2000
Windows XP
Windows Vista
Windows 7
64-bit platforms
2. Follow the link to download and save the installer to one of the following places:
A drive that can be accessed from the computer on which you want to install
Sophos Anti-Rootkit
A CD or DVD
3. Locate the Sophos Anti-Rootkit installer that you downloaded earlier and double-click it.
A wizard guides you through installation.
You are strongly recommended to close down all non-essential applications and allow Windows
Update to complete before scanning for rootkits.
Depending on the computer being scanned, a Sophos Anti-Rootkit scan may take anywhere
between a few minutes and over an hour to complete. Scans generally take significantly longer
to complete on a server computer. You can stop a scan at any time, but the results will be
incomplete, so run a scan at a time when it will cause least inconvenience.
When Sophos Anti-Rootkit cleans up a rootkit from your computer, a restart is required to
complete the process.
9 Clean up rootkits
The names of suspicious files are displayed in the results list in the upper panel of the
Sophos Anti-Rootkit window.
The results list may also display registry keys or values. These items cannot be marked for removal.
However, after you have cleaned up any rootkits, these items will disappear from the results list.
To clean up rootkits:
1. Click the name of a suspicious file or process to display information about it. The information
displayed includes whether the item is recommended for removal:
Option
Description
Removable: No
The information displayed may also tell you whether there is a description of the file. To view
the description of the file, go to the Sophos website at www.sophos.com, type the name of the
file in the Search box at the top of the home page, and then click the Search button.
2. Click Clean up checked items. When the dialog box appears, click Yes.
The checked items are marked for removal and will be cleaned up when you restart your
computer.
3. When the dialog box appears, click Restart now or Restart later.
Rescan your computer with Sophos Anti-Rootkit to make sure that all unauthorized files have
been removed.
Confirm that your computer is totally clean by running anti-virus software such as
Sophos Anti-Virus.
11 Technical support
For technical support, visit http://www.sophos.com/support.
If you contact technical support, provide as much information as possible, including the following:
To send the Sophos Anti-Rootkit hidden archive file and log files to technical support:
1. Go to https://secure.sophos.com/support/samples/ and complete the Sample submission form.
Follow the instructions on screen, except as shown below.
2. For I want to submit a, select File sample.
3. Under File 1, click Browse, and then navigate to the following files in turn:
%TEMP%\samples.sar
%TEMP%\sarscan.log
%TEMP%\sarclean.log
samples.sar is an encrypted archive of all hidden files detected by the scan and sarscan.log is a text
file listing the hidden files contained in samples.sar.
Before you send sarscan.log to technical support, check that it does not contain any confidential
information. To view sarscan.log, type the following from either the Windows Run dialog box or
the command prompt:
%TEMP%\sarscan.log
Any submission of files and/or data to Sophos is covered by the Sophos End User License
Agreement, which is available at www.sophos.com/legal.
12 Copyright
Copyright 2004-2009 Sophos Group. All rights reserved. No part of this publication may be
reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the
documentation can be reproduced in accordance with the licence terms or you otherwise have
the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Rootkit are trademarks of Sophos Plc and Sophos Group. All other
product and company names mentioned are trademarks or registered trademarks of their respective
owners.