What is the Source Of Infection tool?
This is a tool designed to assist Administrators in finding the source of malicious files being written to certain machines on the network.
This article describes how to use the Source of Infection tool.
NOTE: The tool is not supported on machines with another anti-virus product running.
Supported operating systems
Version 2.0 of the tool supports both 32-bit and 64-bit versions of the following Windows operating systems:
- Windows XP SP2+
- Windows Server 2003 SP1+
- Windows Vista SP0+
- Windows 7 SP0+
- Windows 8
- Windows 2008 SP0+
- Windows 2008 R2 SP0+
- Windows 2012
Watch the video
Using the tool
Where to obtain the tool
Download the tool from http://downloads.sophos.com/tools/SourceOfInfection.exe. Ensure that you use the latest version.
NOTE: The source of infection tool has been updated to version 2.0.
How to run the tool
The tool must be run as an administrator. On Windows Vista and later, with UAC, the tool must be run from the Administrator (elevated) command prompt. The tool is supported on a machine without an antivirus product running, or on a machine with Sophos Anti-Virus running.
Command options for the tool
The tool is run with the following options:
-process or -p: record processes only (do not record remote writes)
-network or -n: record remote (network) writes only (do not record processes)
-area <folder> or -a <folder>: restrict recording to accessed files in the given folder
-ext <extension> (may be repeated): restrict recording to given extensions (New to version 2.0)
-loglevel <level> or -ll <level>: trace level (1: all, 2: errors, 3: none)
-logsize <size> or -ls <size>: maximum log size (in MB), 0 - unlimited
-logfolder <folder> or -lf <folder>: redirects the logs to the given folder (New to version 2.0)
-timeout <sec> or -t <sec>: capture timeout (between 1 and 86400 sec; 0 - unlimited)
-runonly or -ro: just run, don't install or uninstall driver
-installdriver or -id: don't run (just install driver to run at boot-up)
-uninstalldriver or -ud: don't run (just uninstall driver)
-help or -h: displays this help
Notes on options new to version 2.0.0
Option -ext allows you to filter on which extensions to record, if omitted from the command line, it will begin to record all dropped files. This option can be used multiple times with a cumulative affect, allowing you to record multiple extensions if required.
Option -lf allows you to log to an alternate directory, the launching windows account must be able to write to this location.
Notes on options covering all versions
Options –p and –n are mutually exclusive, the use of the –n is for tracking network dropping malware and the –p is for identifying locally hidden malware. Using the -a option can be useful to filter out unnecessary events if the administrator knows the path where the malicious file is expected to appear.
The area filter can only be used once per use of the tool. The log level values are 1 – log all information (verbose); 2 – log important information only (default); 3 – no logging. The log size option affects writing to Soi.log, if used the log file will grow to a maximum to the set value(in MB). If one of the log files grows over the specified limit, it is backed up and re-created. (One previous backup is preserved.) If it is not specified or -ls = 0 this means that the log size is “unlimited” (default).
Options –h, id and -ud, if present, must be alone. After the tool is run (except if the option was -h), the tool will collect information until it is interrupted by a click on Ctrl-C.
Output logs from the tool
The tool generates two files in the temp directory of the logged on user by default, as defined by the environmental variable
%temp% (Start | Run | Type:
%temp% | Press return):
Source of Infection Log.csv: This file contains records about the events noted above. If a process has written the file, it records the date/time, the full file path, and the full process executable path. If the file has been written remotely, it records the date/time, the full file path and the remote machine name or IP address (if known).
Source of Infection Trace.txt: This is the tool’s log. Normally it will log the tool startup and shutdown, and any errors, but the tool can be run in such way that a lot of other information is logged. (This information can be used to debug the tool itself.)
The .csv file can be imported into Microsoft Excel and analysed there if necessary.
Examples of use
Scenario A: File dropped into a network share/Machine connected to the network
In this scenario the malicious file will be dropped from a source machine onto the machine under investigation. Please note that a file can only be dropped into a shared directory or sub-directory, however most Windows machines will have a administrative share (C$) which allows access to the entire drive.
Having identified the shared location that the malicious file are being dropped into using Sophos Anti-virus, the Sophos Source of Infection Tool can then be used to find an infected host. To do this use the network (-n) and area switch (-a). See the examples below:
SourceofInfection.exe -n -a "c:\sharedfolder"
The Source of Infection Tool will then log all new or modified files within the sharefolder directory (the share). Open the log file “Source of Infection Log.csv”, once the malicious files are identified in the log file, the logging can be stopped by pressing Ctrl-C. Here is an example of a “Source of Infection Log.csv”:
Date/Time,File path,Process/Network,Process path/Machine name
This means that the file autorun.inf was dropped via the network from IP address 172.16.100.184 at 12:20pm
NOTE: Confirmation of whether a machine is being reinfected locally or across the network can be obtained by isolating the machine. If the malicious files do not return whilst the machine is isolated this confirms that the malware can spread via the network. If the malicious files do return whilst the machine is isolated please see Scenario B below.
Scenario B: File dropped into a local folder/Machine isolated from network
In this scenario the malicious file will be dropped from a local process onto the machine.
Having identified the location that the malicious file is being dropped into using Sophos Anti-Virus, the Sophos Source of Infection Tool can then be used to find the infecting process. To do this use the process (-p) and area switch (-a). See the examples below:
SourceofInfection.exe -p -a "C:\Documents and settings\Administrator\Local Settings\Temp"
The Source of Infection Tool will then log all new or modified files within the chosen directory. Await the return of the malicious file, press Ctrl-C to stop the tool and then open the log file “
Source of Infection Log.csv” to identify the infection source. Here is an example of a “
Source of Infection Log.csv”:
Date/Time,File path,Process/Network,Process path/Machine name
"2010/07/15 12:32:55","C:\Documents and Settings\Administrator\Local Settings\Temp\5541syrty.exe","Process","C:\WINDOWS\svvvvhost.exe"
This shows that the file 5541syrty.exe was dropped by a process called svvvvhost.exe into the Temp directory, therefore a sample of svvvvhost.exe should be submitted.
Scenario C: Unknown or constantly changing drop location
There are very few situations where this should be needed, because Malware is generally very logical and therefore the location it is written to can be identified.
If you have to log all files, then simply run the tool with no additional switches.
You should be aware that under normal operating conditions many files are created and modified by the operating system and other applications, so without a precise location the log will contain many entries that are of no interest.