Sophos Anti-Rootkit: Using the command line scanner

Where possible you should use the graphical user interface (GUI) version of the Sophos Anti-Rootkit tool (inglese) on a single computer, not the command line version. See the user manual for instructions on how to do this.

This article gives background information on using the command line version in exceptional circumstances, or when using the command line tool over a network (inglese).

What to do

1. Running the command line version

Open a command prompt (inglese) and change to the directory (inglese) in which you placed the Sophos Anti-Rootkit tool (by default this will be C:\SOPHTEMP).

1. Type
   
   SARCLI

   This will:
   • scan running processes for hidden items
   • scan the Windows registry for hidden items
   • scan the local hard drives for hidden items
   • create the log file %TEMP%\sarscan.log, where %TEMP% is the Windows temporary directory of the scanned computer.
   Check the log to ensure that no files that you want to keep are flagged for removal. If they are, contact Sophos support with a sample (inglese) of the file samples.sar from the Windows temporary directory of the computer involved.
2. Once you are satisfied that automatic removal will not remove any valuable files, run another scan to remove the rootkit. Type
   
   SARCLI -clean -restart
   
   This will:
   • scan running processes for hidden items
   • scan the Windows registry for hidden items
   • scan the local hard drives for hidden items
   • append scan information to the existing sarscan log
   • restart the computer to clean up all hidden items recommended for removal (the computer will only be restarted if a rootkit is found)
   • on an infected computer, create the log file %TEMP%\sarclean.log, where %TEMP% is the Windows temporary directory of that computer. (If you run a second cleaning scan this log will be overwritten.)
3. Run a final scan to ensure that all components have been removed. Type
   
   SARCLI


After running Sophos Anti-Rootkit to remove the rootkit you should:

• Purge System Restore on all Windows XP computers.
• Check your software or hardware firewall to ensure that it is running correctly.
• Check your that your anti-virus software is running correctly.

Run a scan with your anti-virus software and remove any worms or Trojans that were using the rootkit. Then follow any extra instructions in the analyses for those malicious programs (e.g. install any patches or use Windows update).

2. Making a copy of the command line tool on a CD

When cleaning more than one computer, or if problems are encountered running the tool, you may need to use a copy from a write-protected CD, or similar medium.

To prepare a CD version, do as follows.

1. Go to an uninfected computer.
2. Download Sophos Anti-Rootkit.
3. Double-click the downloaded file to extract the contents into a folder called SOPHTEMP.
4. Copy the contents of the SOPHTEMP folder to a medium that can be write-protected (the example here uses a CD).
5. Write-protect the disk (e.g. on a CD/R or CD/RW, close the session).