You can use the advanced options to gather samples of suspicious files that cannot be gathered whilst running Windows. This can be done as follows:
- Carry out a clean shutdown of the machine.
- Boot from the Sophos Bootable CD.
Applies to the following Sophos product(s) and version(s)
Sophos Bootable Anti-Virus
What To Do
Changing the Keyboard Locale
For UK customers you may want to change the keyboard layout (default is United States layout). To do this:
- Select Keyboard layout.
- From the Keymaps menu select United Kingdom.
- Click Back to main menu.
From the main menu select Bash Shell (advanced users only) option. These instructions will not delete the original malicious file.
- You will now be presented with the following command prompt:
- From here you want to type, followed by Enter:
- The prompt should now read:
- From here you will need to determine which mounted drive is the location for the file. Type the following and press Enter:
- You should now be presented with a list of mounted drives similar to 'sda1' (The numbering may be different). Using the command 'mount' may help you determine which drive to navigate, for example:
/dev/sda1 on /mnt/dev/sda1 type fuseblk (rw, noatime, allow_other, blksize=4096)
- Type in the following to change to the mounted IDE hard drive, press Enter:
- List the contents of the drive with this command, press Enter:
- From here you should recognise the Windows folder structure, you can change the location using the '
- Once you are in the directory where the sample resides, you can copy the file using the 'cp' command:
cp BadFile.sys NewBadFileName.infected
(The destination file to copy to should use an entirely different naming convention, as some malware variants will stealth files if they are too similar to the original)
- Once the file has been copied, you can now exit SBAV using the '
reboot' command and then send the copied file in for analysis.