What is the Sophos Bootable Anti-Virus (SBAV) tool?
This is a tool designed to assist Administrators by allowing the scanning of a system while the operating system on the drive is not active.
Watch the video
How to use the tool
Note: The Sophos Bootable Anti-Virus tool cannot be used on computers with RAID configurations. Use SAV32CLI instead.
Obtaining and preparing the tool
To download the tool and create the CD see article 52011.
Running the tool on the infected computer
- Go to the infected computer, and restart it using Start | Shut Down | Restart.
Important Note: If you cannot shut the computer down using the Windows Shut Down options, try another method of shutting it down. SBAV was designed to run when a computer is shut down normally. If you continue to use SBAV on a computer that was not shut down properly, you risk corrupting the hard disk. For more information about this, refer to the knowledgebase article 52072 I cannot shut down Windows properly.
- When the computer boots up, the BIOS will indicate a key to press to enter the Boot menu (such as ESC, F8 or F12). As soon as you see the message press the key.
- Insert the CD into the CD or DVD drive of the infected computer.
- In the list of boot options, select the CD/DVD ROM drive and then press Enter. The SBAV CD will show its progress on the screen. The SBAV Main Menu will load after a couple of minutes.
- Choose one of the following options:
|Sophos recommended scans: ||Sophos advanced scans: |
| Rename viruses (not advised) ||Disinfect viruses (recommended) |
| Scan for viruses (detect only) ||Delete viruses (DO NOT USE without contacting technical support) |
- If this is the first scan of SBAV please run a disinfect scan to ensure that all compromised files are disinfected. If any files fail to disinfect, please run a ‘delete viruses’ scan to remove them. If you are unsure of how to interpret the scan results, please contact Sophos Technical Support before running a delete or rename scan. Note a delete or rename scan may lead to the removal of system critical files that could cause the machine to be unstable if done incorrectly.
- Select the required option and then press Enter. SBAV will begin scanning the computer and will display its progress on-screen. N.B. To stop scanning, press Ctrl+C. · The scan is configured to go into screensaver mode after about 15 minutes. While the scan continues in screensaver mode, the screen will go blank. Press any key or move the mouse to cancel the screensaver mode.
· Long filenames (longer than one line across the screen) may continue to be displayed in the scan display. This is not a problem.
- When the scan completes, SBAV will show the actions it has taken. If you require more information about the results, please contact Sophos Technical Support.
- To return to Windows, from the Sophos Main Menu, select Reboot system. During the shutdown procedure, the CD drive will open momentarily, allowing you to remove it from the drive. The system will then reboot to Windows.
Examples of use
Scenario A: Operating System files have been compromised, unable to clean from Windows.
In this scenario Sophos Anti-virus has detected the virus and attempted cleanup but the machine (disconnected from the network) continues to become infected. The virus has managed to infect the machine and compromise legitimate operating system and application files which cannot be cleaned whilst running from within Windows. Use Sophos Bootable Anti-Virus with the disinfect option to clean the machine.
The scan completes and after running a second disinfect scan no further files are detected. The system is now clean, so reboot back into Windows and monitor it.
Scenario B: Infected Master Boot Record (MBR)
In this scenario Sophos Anti-Virus has detected malware that has infected the Master Boot Record (it can be identified by the detection name containing the word “MBR”). The MBR cannot be disinfected from within Windows as the virus responsible will be monitoring it. You must reboot into Sophos Bootable Anti-Virus and run a disinfect scan.
Once the scan has completed and disinfected the MBR, run a detect only scan to ensure that cleanup was successful and that no other infected files exist. If clean, reboot back into Windows and monitor.