This article gives information on scanning options with SAV32CLI, the Sophos Anti-Virus command line scanner for Windows NT, Windows 2000, Windows XP, Windows 2003 and Windows Vista computers.
Follow these links to download an emergency copy of SAV32CLI and the latest virus identity IDE files.
Note: You must run SAV32CLI from the folder where sav32cli.exe is stored. This is usually in C:\Program Files\Sophos\Sophos Anti-Virus.
This document covers:
What to do
When dealing with virus infection, run SAV32CLI in safe mode with command prompt. See Restarting a Windows computer in Safe Mode with Command Prompt for details on how to do this. In the text below, 'virus' is used to refer to viruses, Trojans, worms and other malicious programs.
To run a scan for information only, so as to create a log, open a command prompt and change to the folder where the sav32cli.exe program is stored (usually C:\Program Files\Sophos\Sophos Anti-Virus) and type the following:
This will create a log of infected files, but will not disinfect or delete any infected files. You can then copy the log to a floppy disk for printing or emailing. If you run SAV32CLI without the -P command line parameter, the information on viruses will be written only to the screen.
To disinfect infected items with SAV32CLI, use the '-di' command line parameter.
- If a file is infected more than once (either with different viruses, or several cases of the same virus), you might need to run multiple scans to disinfect all virus infections.
- Do not use the command line parameter '-remove' in the same scan as '-di', as you could delete a file which could have been cleaned.
- If the infection on the computer seems to be progressing rapidly, back up your data to CD or DVD before attempting disinfection.
The '-di' command line parameter will disinfect infected boot sectors, some infected program (.exe) files, and infected documents (e.g. .doc, .xls).
So, if your computer has been infected by a number of viruses, macro viruses, and worms, shut down the infected processes (either manually, or by using safe mode with command prompt), then run a series of scans to disinfect and remove these malicious programs. Make a log of all scans.
SAV32CLI -DI -P=C:\SCANLOG1.TXT
Make a note of the number of files disinfected.
Run the scan again, with a different log name
SAV32CLI -DI -P=C:\SCANLOG2.TXT
If the number of files disinfected has decreased, run a third scan. If it has not, or the number is '0', remove all other virus files:
SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
The above scans will disinfect all files that can be disinfected, and remove the rest.
During this process any infected documents will have been disinfected. Check the relevant virus analysis to find out if the virus involved could have corrupted data in the document. If you check the logs, you may well find that some worm or Trojan files were infected with a virus, so they were first disinfected, then removed.
Note: if the number of infected files increases between scans, contact technical support.
By default, Sophos Anti-Virus checks files that it recognises to be executable files, and files with extensions used by known executable file types.
You can scan all files, and not just executables, with SAV32CLI by using the '-all' command line parameter.
- An 'all files' scan can take considerably longer than an executables only scan.
- You should rarely, if ever, need to remove a non-executable file at a command prompt. A Windows scan should enable you to do this, and is likely to be easier.
- Take care when removing files with an 'all files' scan. You might remove mailboxes with one infected email in them, or archive files containing only one infected file among many others.
You can use the '-cdr' command line parameter to specify the CD drive containing a CD to be scanned. For example if you use
SAV32CLI will scan for a possible bootable image on a CD in drive D. If an image is found, SAV32CLI will check the boot sector of that image for boot sector viruses. If you also use the '-loopback' parameter, then SAV32CLI will go on to scan the files in that bootable image for executable viruses.
The command line parameter '-idedir' allows you to use an alternative directory, or drive, to specify where virus identity (IDE) files will be. The default directory is the directory with the main virus data in it. This will usually be the directory containing SAV32CLI.EXE.
For example, if you type
then IDE files in the root directory of a floppy disk inserted in the A: drive will be used.
To scan the whole system, just type '
SAV32CLI' and any removal command line parameters. Do not use '*:'
To scan individual drives use 'SAV32CLI C:' or 'SAV32CLI D:', etc.
For information on using wildcards and exclusions, see the SAV32CLI release notes.
SAV32CLI can abort the scanning of some forms of malicious file that are designed to disrupt the action of anti-virus scanners. These files, sometimes referred to as "zip bombs", usually take the form of innocent looking archive files that, when unpacked in order to be scanned, require enormous amounts of time, disk space, or memory.
The command line option --stop-scan directs SAV32CLI to stop scanning such "zip bombs" when they are detected. For example:
SAV32CLI -archive -all C:\ --stop-scan
scans all objects (files and directories) on the C: drive, scanning inside archive files and stopping the scan when a "zip bomb" is detected.
When a "zip bomb" is detected, a message such as
Aborted checking C:\misc\b.zip - appears to be a 'zip bomb'
You can save time when disinfecting computers by using the 'no confirmation' command line parameter '-nc' in conjunction with '-remove'. This will delete all infected files automatically. However, if you do this, particularly in conjunction with an 'all files' scan using the '-all' command line parameter, you are at risk of losing complete archive files and mailboxes containing only one infected item, and infected documents that could have been cleaned.
Moreover, if many system files on a computer are infected, you could reduce the computer to a state in which data recovery would not be possible without special tools.
Only use the above parameter where you are sure which files and file types on your computer are infected.