Sophos Diagnostic Utility (SDU): Using the malware command line switch

  • ID de l'article 116537
  • Mis à jour : 30 juin 2014

The Sophos Diagnostic Utility (SDU) features a malware switch that collects vital system information that could indicate malware. 

The following instructions describe how to run the tool and send the results to Sophos Technical Support.

Running the Sophos Diagnostic Utility

Note: The malware switch can only be used when the SDU tool is run from a command line.

  1. Download SDU from the links provided in this this article.
  2. Locate the download file, double-click it, and complete the installation wizard.
  3. Click on Start | Run | Type: cmd.exe | Press return.
  4. Type the command followed by Enter:
    • 32-bit computer: cd "C:\Program Files\Sophos\Sophos Diagnostic Utility"
    • 64-bit computer: cd "C:\Program Files (x86)\Sophos\Sophos Diagnostic Utility"
  5. Type the command followed by Enter:
    • sducli.exe -malware

Locating the SDU file

Click on Start | Run | Type: %temp%\SDU | Press return. All the Diagnose archives will be located here, be sure to use the most recently created file

Finding malicious samples using the SDU tool

The SDU archive contains multiple XML files and text files to assist with finding malware. 

In addition to the XML and text files the SDU tool also collects the Sophos Anti-Virus log SAV.txt which will show all current and previous detections on the computer.

Note: Suspected items of malware should be submitted to the SophosLabs for analysis.

Below is a list of some of the files that are collected by the SDU tool and a brief explanation of what each contains:

Log File
Description
SAV.txt The Sophos log file showing what is detected 
REG-Mal-Runkeys.xml 
List of common loadpoints for malware 
SDU-WMIC-Startup.txt 
List of common startup locations and their contents 
SDU-WMIC-Process.txt 
List of running processes and their path 
SDU-Sysinfo-NetStat.xml 
List of open ports and the process using it 
SDU-WMIC-Startup.txt 
List of Windows startup entries 
SDU-StartMenu-Startup.xml
Contents of the Windows Start Menu 
Host 
The Windows Host file 
Networks   
The Windows Networks (LMHost) file 

To help identify a malicious program here are some tips:

  • The filename could be randomly generated. Use a search engine to get an idea of legitimacy (e.g. Etbu3fw.exe).
  • The filename is located in an abnormal installation location, possibly the Temp folder (%Temp% which resolves to C:\Documents & Settings\[Username]\Temp).
  • There is no icon on the file, or limited vendor/file information in the file properties.
  • The filename has a reference to security or Windows but is not recognised application.
  • The SAV.txt shows the file cannot be access by SAV.
  • Does this file load on other endpoints in the same way? Check the registry for how the file could be executing.

 
Si vous avez besoin de plus d'informations ou d'instructions, veuillez contacter le support technique.

Évaluez cet article

Très mauvais Excellent

Commentaires