Removing malicious files with SAV32CLI

  • N.º del artículo: 13251
  • Actualizado: 14 jul 2014

This article explains how to remove malicious files with the Sophos Anti-Virus 32-bit command line interface (SAV32CLI) on Windows. To maximize the success of removing malware the process involves rebooting into a low-level diagnostic mode that does not require the full operating system to be running (safe mode).

Important:

  • Before reading this article familiarize yourself with what SAV32CLI is and how to launch the basic program by reading article 10069.

Applies to the following Sophos product(s) and version(s)

Sophos Endpoint Security and Control

What To Do

1. Back up important data

If the infected computer has valuable data on it, back up the data to CD or DVD or a USB device before removing any malicious software. The infection might deteriorate to a point where you could no longer access the operating system, or you may damage the computer during disinfection.  Ensure any back ups are fully scanned by Sophos Anti-Virus to ensure no malware is contained within them.

2a. Ensure your SAV32CLI is up to date

To ensure SAV32CLI is up to date with the latest threat identity files you must ensure your local copy of SAV for Windows is up to date.

  1. From the computer's desktop right-click the Sophos shield in the bottom right corner and select 'Open Sophos Endpoint Security & Control'.
    If a User Account Control prompt appears select 'Yes' to open the program.
  2. From the left hand 'Status' panel ensure the 'Last updated' date is recent.

If the date shown is recent and you intend to scan the computer using the locally installed copy of Sophos Anti-Virus skip to section three. 

If the date shown is not recent, the latest detection and cleanup information will not be available during a scan, hence it is important to resolve any problems with the installation before continuing.  If the installation has not been updated/able to update for some time, or the installed program is not functioning correctly, we recommend running SAV32CLI from a CD-ROM, or similar write-protected media, that has been obtained from the installation of SAV for Windows running on an uninfected computer - see section 2b.

2b. Obtain a copy of SAV32CLI from an up-to-date computer

Note:  If the locally installed copy of Sophos Anti-Virus for Windows is up-to-date, and you intend to run a scan using the locally installed copy, you do not need to run SAV32CLI from an external media.  Ensure you have followed section 2a above and then move on to section three.

To obtain a copy of the SAV32CLI program you need to have available another computer which is not infected with malware and running an up-to-date copy of Sophos Anti-Virus for Windows.  The process involves copying the Sophos Ant-Virus folder from the other computer to write-protected media.  Therefore you will need either:

  • a blank CD-R disc and the other, up-to-date, computer to have the ability to write ('burn') a CD-R.  The infected computer will also need a CD-ROM or DVD drive to read the disc.

    Or...

  • an external storage device, such as a USB thumb drive or memory card.  This should have the ability to be write-protected so that when inserted into the infected computer no additional files can be written to it.  Some USB thumb drives offer a write-protection switch as do many SD cards (example of SD card protection).  Warning: If a write-protection option is not available malicious files from the infected computer could be written or transferred to the drive when it is inserted into that computer. If the drive is then inserted into another computer the malware could then be transferred to that computer and hence the infection could spread.

To obtain a copy of SAV32CLI:

  1. Move to the uninfected, up-to-date, Windows computer.
  2. Insert your chosen external media (CD-R, USB drive/memory card, etc).
  3. Copy the C:\Program Files (x86)\Sophos\Sophos Anti-Virus\ folder to the root (top-level) of the media (Note: 'Program Files (x86)' will be 'Program Files' for 32-bit computers).
  4. Burn the CD-R (using your normal method) or eject the USB drive/memory card.
  5. If you are not using a CD-R set the write-protection switch on the USB drive or memory card.  If the drive does not have a write-protection option we do not recommend it be used.  However for emergency situations you may decide to proceed.  In these cases do not trust the card after removal from the infected computer.  The card should be fully formatted after removal and scanned by Sophos Anti-Virus from a suitable computer (e.g., a Mac or Linux computer that cannot be infected with malware designed for Windows, or from a Windows computer that is disconnected from your network and configured for best protection).  In all cases the computer used to scan the drive should have an up-to-date copy of Sophos Anti-Virus installed, be fully patched regarding operating system updates, and contain no valuable data/information that is not fully backed up to an external source.

3. Disable all network connections

Unplug the network cable from the computer and/or switch off the WiFi connection.

4. Reboot in safe mode

It is possible to run SAV32CLI from an administrator command prompt from the desktop of your computer while it is booted up in the normal way...

However we recommend rebooting the computer into safe mode to minimize the chance of any malware present on your computer from being allowed to run and hence increase the chances of the malware being removed.

To enter safe mode you need to switch off your computer, switch it back on, and in the first moments of life tap F8 which will show a screen titled 'Windows Error Recovery' and a selection of boot methods.  From the menu, using the arrow keys on the keyboard, select 'Safe Mode' and press enter. For further information see article 21486.

Note: Since SAV32CLI is only a command line program 'Safe Mode with Command Prompt' is all that is required.  Selecting 'Safe Mode', which loads a basic graphical desktop, is acceptable but you must then open a command prompt to run the program, however 'Safe Mode' does provide a familiar method of file and folder navigation as Windows Explorer is available.

5. Run SAV32CLI in safe mode

Based on your decision from section two above you may be running SAV32CLI from the local installation or from write-protected media.  Follow the set of steps below depending on your decision.  If you have loaded a graphical desktop open a command prompt from the menu.  Example:

5a. Run SAV32CLI from the installed copy of SAV for Windows

From the command prompt:

  1. Changed directory to the folder containing the SAV32CLI program:
    • 32-bit computer: cd C:\Program Files\Sophos\Sophos Anti-Virus\
    • 64-bit computer: cd C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
  2. Type the following command:
    sav32cli.exe -remove -p=C:\sav32cliscan.txt

    If the command prompt shows "'sav32cli.exe' is not recognized..." you are not currently in the folder containing the program. Go back and review step one above.  The command above will scan and remove files but for further scan options see article 13252.

  3. During the scan press the keyboard key Y (for Yes) if/when asked to remove a malicious file.

5b. Run SAV32CLI from write-protected media

Insert the CD-ROM, or USB pen drive/memory card into the computer and then from the command prompt:

  1. Change the drive letter to the one associated with the CD-ROM or drive containing the copy of SAV32CLI.  Open Windows Explorer and check drive letter shown there if required.


    For example to change to the E drive type E: (only the letter and colon) then press enter.


  2. Once the correct drive has been selected change directory to the folder containing the SAV32CLI program.  If you have followed section 2b above, you will have a folder called 'Sophos Anti-Virus' at the top level of the drive.  Therefore type cd Sophos Anti-Virus to enter that folder. Example of a Sophos Anti-Virus folder at the top level of a USB drive as shown in Windows Explorer in safe mode:


  3. Type the following command:
    sav32cli.exe -remove -p=C:\sav32cliscan.txt

    If the command prompt shows "'sav32cli.exe' is not recognized..." you are not currently in the folder containing the program.  Go back and review steps one and two above.  The command above will scan and remove files but for further scan options see article 13252.

  4. During the scan press the keyboard key Y (for Yes) if/when asked to remove a malicious file.

6. Additional instructions for manual cleanup

Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions. (To open the Registry Editor click the 'Start' button and type 'regedit' into the program search field which appears just above it).  Read the warning about editing the registry before making any changes.

If problems persist on the infected computer, read the troubleshooting article on removing problem files.

Related articles

 
Si necesita más ayuda, póngase en contacto con soporte técnico.

Valore el artículo

Muy malo Excelente

Comentarios