The Sophos Anti-Rootkit (SAR) tool is designed to assist Administrators in quickly establishing if there is a possibility of a rootkit infection on a machine.
Operating System
SAR is supported on the following operating systems:
- Windows 2000 and above.
- Windows XP and above.
- Windows Vista and above.
- Windows 7 and above.
- Windows Server 2003 and above.
- Windows Server 2008 and above.
- The tool is supported on both 32-bit and 64bit versions of the above Windows OS.
Watch the video
Where to obtain the tool
The tool is available from the following link.
http://downloads.sophos.com/support/cleaners/sar_15_sfx.exe
Note: You should always use the latest copy of the tool.
Using the tool
The tool can be used in two ways:
- Run via the Graphical User Interface (GUI).
- Run via the Command Line Interface (CLI).
Running via the GUI
- Log on to the computer with an administrative account.
- Launch the tool from the Start Menu by going to:
Start | All Programs | Sophos | Sophos Anti-Rootkit | Sophos Anti-Rootkit
Note: If the computer has User Access Control (UAC) enabled then right click on the Sophos Anti-Rootkit shortcut from the Start Menu and select the 'Run as administrator' option. - Choose to scan the running processes, Windows registry or local hard drives with the tick boxes. If Sophos Anti-Virus is installed on the machine then the extensive scan option can also be chosen. To run the scan click on 'Start scan'. The Sophos Anti-Rootkit will scan the system and attempt to find any hidden threats on the machine.
Running from the Command Line
The command line tool can be found in the following folder:
- 32-bit computer:
C:\Program Files\Sophos\Sophos Anti-Rootkit\sarcli.exe - 64-bit computer:
C:\Program Files (x86)\Sophos\Sophos Anti-Rootkit\sarcli.exe
There are several command line options that can be passed to the command line tool. These are:
| Option | Description |
-help
| Show the help message.
|
-proc
| Scan running processes for hidden items. |
-reg
| Scan registry for hidden items. |
-disk
| Scan local hard drives for hidden items. |
-log="X"
| Write scan log to file X (default %TEMP%\sarscan.log). |
-nolog
| Don't write a log file. |
-silent
| Don't produce any screen output. |
-clean
| Clean up all recommended removable items (requires restart). |
-cleanlog="X"
| Write clean up log to file X (default %TEMP%\sarclean.log). |
-ext
| Extensive scan - requires installed Sophos Anti-Virus. |
-restart
| Restart to complete clean up if anything needs to be removed. |
Note:
- The command prompt must be elevated to an administrative level.
- If no areas are specified, all will be scanned; defaults: -proc -reg -disk -log.
- Press the ESC key at any time to stop a scan before it has finished.
Output log from the tool
To access these logs after scanning, as well as the zipped samples of what was found, type the following from either the Windows Run dialog box or the command prompt:
%TEMP%\sarscan.log
%TEMP%\sarclean.log
%TEMP%\samples.sar
Example of use
SAR should be used to find undetected, hidden malware on a computer. Rootkit software could be part of any type of malware due to the multi-component nature of threats that exist today.
The log output (see above) will list any files or registry locations that are detected as hidden, it will also give the option to cleanup. If there are files that look suspicious then you should submit the samples.sar file to Sophos at the link below.
https://secure2.sophos.com/en-us/support/contact-support/sample-submission.aspx
See the table below for a list of common locations for files detected by SAR as well as the actions required.
| Detection Location | Actions |
Application Data directories
| Submit a sample |
Program Files directories
| Submit a sample (unless application is known to create temporary files, e.g. Microsoft Exchange) |
ProgramData directory
| Submit a sample |
Root of hard drives/partitions
| Submit a sample |
Temporary Internet Files
| Unlikely to be malicious, no samples required |
Windows directory and sub-directories
| Submit a sample |