Sophos Anti-Rootkit: Rootkit removal on a network with an infected domain controller

On a network where the domain controller has been infected with a rootkit, you will have to clean the domain controller before using Sophos Anti-Rootkit (inglese) to clean your remaining computers over the network.

Follow the instructions in this article, then use the network disinfection article (inglese).

What to do

1. Cleaning the key computers

You must clean some key computers to enable the network disinfection process:

• a computer separate from your network with an internet connection, a CD writer, and a virus scanner (here called 'sheep dip')
• your Domain Controller.

The test computer 'sheep dip' should be running one of the following operating systems:

• Windows 2000 server
• Windows 2003 server
• Windows 2000 Professional
• Windows XP Professional

It should have its own internet connection, which should be disconnected while it is cleaned, and should be physically isolated from the main network (this separation can be temporary).

The 'sheep dip' computer should meet the system requirements for running EM Library and Enterprise Console. See the release notes for the current versions of these products.

Note: If your Sophos Anti-Virus Central Installation Directory (CID), or library, is already installed on a computer other than your Domain Controller, then you should follow these instructions on that computer as well.

1. Use the graphical user interface version of the Sophos Anti-Rootkit tool to clean the 'sheep dip' computer and domain controller. See the user manual for details.
2. Use Sophos Anti-Virus version 6 or above to remove any other malware (inglese) from the 'sheep dip' computer.

Make a note of any files that are not removed during the cleaning process and decide what is to be done about them. These files might also be present on computers elsewhere on your network. This could affect the cleaning of the whole network.

Now you need to use Sophos Anti-Virus to clean any remaining malware from the Domain Controller.

1. Use the Sophos Anti-Virus installation on the 'sheep dip' computer to make an installation on the Domain Controller. The 'sheep dip' computer will take the place of the 'dirty' network, and the Domain Controller will be on the 'secure' network when following the air gap installation instructions.
2. When following the above instructions, prepare Sophos Anti-Virus central installation directories (CIDs) for your workstation operating systems, but do not yet install the workstations.

2. Preparing to clean your network

Before you clean the other computers on your network:

• Ensure that Sophos Anti-Virus has been installed on your domain controller, and any computer running a CID.
• Do not install or clean the workstations until your key computers have been cleaned.
• Configure your anti-virus policy for your key computers so as to run on-access scanning using 'On read', 'On write' and 'On rename'. You can do this centrally from Enterprise Console, or locally at the computer. This will ensure that any attempt to infect the Domain Controller during network disinfection will be intercepted.

Run a scan on each key computer to ensure that it is free of malware.

Warning: Do not reboot or log off the Domain Controller during network cleaning. It could become reinfected.

Now follow the instructions for cleaning your remaining computers over the network (inglese).

Note: After you have finished cleaning your network, reconfigure your anti-virus policy to use only 'On read' scanning.