Sophos Bootable Anti-Virus: Gathering samples

  • Article ID: 53417
  • Updated: 26 Jun 2014

You can use the advanced options to gather samples of suspicious files that cannot be gathered whilst running Windows. This can be done as follows:

  • Carry out a clean shutdown of the machine.
  • Boot from the Sophos Bootable CD.

Applies to the following Sophos product(s) and version(s)

Sophos Bootable Anti-Virus

What To Do

Changing the Keyboard Locale

For UK customers you may want to change the keyboard layout (default is United States layout). To do this:

  • Select Keyboard layout.
  • From the Keymaps menu select United Kingdom.
  • Click Back to main menu.

Gathering Samples

From the main menu select Bash Shell (advanced users only) option. These instructions will not delete the original malicious file.

  1. You will now be presented with the following command prompt:
  2. From here you want to type, followed by Enter:
    cd /mnt/dev
  3. The prompt should now read:
  4. From here you will need to determine which mounted drive is the location for the file. Type the following and press Enter:
  5. You should now be presented with a list of mounted drives similar to 'sda1' (The numbering may be different).  Using the command 'mount' may help you determine which drive to navigate, for example:
    /dev/sda1 on /mnt/dev/sda1 type fuseblk (rw, noatime, allow_other, blksize=4096)
  6. Type in the following to change to the mounted IDE hard drive, press Enter:
    cd /sda1
  7. List the contents of the drive with this command, press Enter:
  8. From here you should recognise the Windows folder structure, you can change the location using the 'cd' command.
    Example: cd /Windows/Temp
  9. Once you are in the directory where the sample resides, you can copy the file using the 'cp' command: cp BadFile.sys NewBadFileName.infected
    (The destination file to copy to should use an entirely different naming convention, as some malware variants will stealth files if they are too similar to the original)
  10. Once the file has been copied, you can now exit SBAV using the 'reboot' command and then send the copied file in for analysis.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent