How to: Run the Source of Infection (SOI) on a remote computer

  • Article ID: 117823
  • Updated: 27 Feb 2013

When advised to run the Source of Infection (SOI) tool there may be circumstances where running it remotely are necessary. The below steps outline how this can be done using the Microsoft task scheduler.

This article does not cover the general use of the SOI tool which can be found in article 111505.

Known to apply to the following Sophos product(s) and version(s)

Source of Infection

Operating systems
Windows 2000 SP4+

What To Do

Setup

  1. Connect to the C$ share on the machine that will be running the SOI tool
  2. Create a folder called SOI.
  3. Save the sourceofinfection.exe into the folder.
  4. Open a command prompt session 
  5. Enter the command from the required section below making changes as needed:

Network file monitoring

schtasks /create /s client /u domainname\administrator /p password /ru system /sc once /st 00:00:00 /tn “Sophos SOI net” /tr “C:\SOI\SourceOfInfection.exe -n –logfolder C:\SOI” /F /V1

Items in bold will need to be edited as required for your system

 

Process file monitoring

schtasks /create /s client /u domainname\administrator /p password /ru system /sc once /st 00:00:00 /tn “Sophos SOI proc” /tr “C:\SOI\SourceOfInfection.exe -p –logfolder C:\SOI” /F /V1

Items in bold will need to be edited as required for your system

Where:


Further information

More information on using schtasks can be found in the following Microsoft article:
http://technet.microsoft.com/en-us/library/cc725744(v=es.10).aspx#BKMK_sys_perms

This tool is part of the Sophos Malware Remediation Toolkit (SMaRT). More information on this can be found in the following:
http://www.sophos.com/en-us/support/knowledgebase/116418.aspx

 

Limitations

Using these steps will result in the SOI tool running until the machine is rebooted or the task is stopped. This could result in large log files being created on the machine. Using the -logsize before the -logfolder switch can limit the size of the log.

This method of deployment requires the use of the Windows Task Scheduler on the endpoint, therefore Windows Tasks Scheduler must be running/able to run. Certain group policies can also prevent the task from being created. If there are any issues with creating a remote scheduled task double check the correct switches have been used and that local scheduled tasks can be created.

An alternative method of deployment would be PSEXEC from Microsoft. This tool can be used to run execute programs remotely, but note that it is blocked by Sophos as a Potentially Unwanted Application (PUA) by default so may need to be authorized first.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments