The Sophos Malware Remediation Tool (SMaRT) provides a detailed step- through process for cleaning up malware infections on Windows 2000 and above. Details in the knowledgebase article 116418.
How to remove infected executables, according to operating system:
1. Using Enterprise Console
2. Windows 95/98
3. Mac OS X computers
4. NetWare
5. Linux
6. UNIX
7. OpenVMS
1. Using Enterprise Console
You can remove infected executable files over a network using Enterprise Console.
2. Windows 95/98
To remove an infected executable file:
- Check the threat analysis for details on the virus and its removal.
- Back up any important data on the hard drive.
- Close down all programs.
- Go to Start|Programs|Sophos Anti-Virus and run the Sophos Anti-Virus program.
- Select the Immediate tab.
- Go to Options|Configuration... select the Action tab, select 'Infected files', select 'Move', then click 'OK'.
- Click the Go button on the toolbar to start the scan.
- Make a note of the infected files from the on-screen log.
- Delete the files. Run another scan for viruses. Replace the files with 'clean' versions from the original installation media or a clean PC.
- Go to Options|Configuration... select the Action tab, uncheck 'Infected files', deselect 'Move', then click 'OK'
If the virus is memory resident or the files cannot be removed because they are held open by the operating system:
![[TOP]](/images/arrowtop.gif)
3. Mac OS X computers
To remove an infected executable file:
- Check the threat analysis for details on the virus and its removal.
- Close down all programs.
- Run the Sophos Anti-Virus program.
- Click the green 'Play' arrow button.
- Make a note of the infected files.
- Go to 'Sophos Anti-Virus preferences'.
- Choose 'Disinfection' from the 'Immediate Mode' menu.
- Select 'Infected Files' and 'Delete'.
- Close 'Sophos Anti-Virus preferences'.
- Click the green 'Play' arrow button.
- Click 'OK' when asked if files should be deleted.
- Run another scan to ensure that the executable has been removed.
- Go back to 'Disinfection' and deselect 'Infected Files' and 'Delete'.
- Replace the files with 'clean' versions from the original installation media or a clean Macintosh.
- If problems persist, contact support.
4. NetWare
Infected executables can be quarantined, renamed (so they cannot be executed), deleted, purged, or copied with non-executable filenames.
Note: This method of removal will also apply to documents infected with macro viruses.
- Check the threat analysis for details on the virus and its removal.
- Run a scan to locate all the infected executables and make a note of them.
- Choose your preferred method of removal in the 'Removal mode' option of the Immediate Mode menu.
- Delete the infected files and restore them from the original installation media or a backup.
5. Linux
- Check the threat analysis for details on the virus and its removal.
- Run a scan to locate all the infected executables and make a note of them.
- Use savscan with the -remove option
savscan -remove
- Run a scan to check that all files were deleted. Replace them with 'clean' versions from the original installation media or a clean computer.
6. UNIX
- Check the threat analysis for details on the virus and its removal.
- Run a scan to locate all the infected executables and make a note of them.
- Use SWEEP with the -remove option
sweep -remove
- Run a scan to check that all infected files were deleted. Replace them with 'clean' versions from the original installation media or a clean computer.
7. OpenVMS
- Check the threat analysis for details on the virus and its removal.
- Run VSWEEP from DCL using the command line qualifier '/VF' to write the names of any infected files to the file SWEEP.VIR.
- Use SWEEP.VIR to identify infected executables for replacement.
- Delete the infected executables, either by using the DCL command DELETE/ERASE, or by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.
- Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.
- Restore the deleted executables from the originals or from sound backups.
For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual.