How to disinfect Macro viruses

  • ID dell'articolo: 112956
  • Aggiornato: 19 dic 2011
The Sophos Malware Remediation Tool (SMaRT) provides a detailed step- through process for cleaning up malware infections on Windows 2000 and above. Details in the knowledgebase article 116418.

The article below describes how to disinfect macro viruses across the Sophos product range.

For more general information, refer to

1. Using Enterprise Console/Enterprise Manager
2. Sophos Anti-Virus for Windows, version 7
3. Mac OS X computers
4. NetWare computers
5. Linux computers
6. UNIX computers
7. OpenVMS computers

1. Using Enterprise Console/Enterprise Manager 

You can disinfect macro viruses over a network using Enterprise Console or Enterprise Manager.

2. Disinfecting Macro viruses with Sophos Anti-Virus for Windows, versions 7 and 9

  • Close down all programs.
  • Go to Start|Programs|Sophos|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
  • In the 'Available scans' list, select the scan for which you want to enable removal, or use 'Setup a new scan' to scan your local disks. (Do not select a scheduled scan, as you will not be able to run this manually.)
  • Click Edit|Configure this Scan.
  • Select the Cleanup tab and select 'Automatically clean up items that virus/spyware'. Click Apply|OK.
  • Click 'Save and Start' to save the scan, and run it immediately.
  • At the end of the scan, click the link in 'Items passed to Quarantine' and open Quarantine manager.
  • Select any items needing disinfection.
    • From the 'Perform action' dropdown, select 'Cleanup'.
    • Select 'Yes' or 'Yes to all' to disinfect files.
  • Any remaining items should be deleted.
    • From the 'Perform action' dropdown, select 'Delete'.
    • Select 'Yes' or 'Yes to all' to delete files.
  • Run another scan to ensure that the virus has been disinfected.
  • Click Edit|Configure this Scan.
  • Select the Cleanup tab and deselect 'Automatically clean up items that contain virus/spyware'. Click Apply|OK.

If Sophos Anti-Virus cannot disinfect files because they are held open by the operating system, make a note of the names of the files, then do as follows.

  1. Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
  2. Restart the computer in Safe Mode with command prompt.
  3. At the infected computer, place the CD in the CD drive (D: in this example). At the command prompt type

    D:

    to access the CD drive. Type:

    CD SAV32CLI

    Then type:

    SAV32CLI -DI -P=C:\LOGFILE.TXT

    to disinfect the virus.

    All other files must be deleted. Some of these were dropped by the virus and need not be restored. Others should be recovered from backups.

    SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT

    This command writes a report to the root of the C: drive. This report can be used to check which deleted files should be restored from backups.

    In Windows 2000/XP/2003/Vista, when disinfection and deletion have finished, restart the computer in Windows.

    Install or reinstall Sophos Anti-Virus then run an 'All files' scan to check that the virus has gone.

  4. Before leaving Safe Mode, check any registry entries mentioned in the virus analysis recovery instructions, and edit them if necessary. If problems persist, contact support.

 

3. Mac OS X computers

  1. Open the Quarantine Manager.
  2. Click the Action Available column heading to sort the list of threats according to the action available.
  3. Select all the threats for which the action available is Clean up.
  4. Click Clean Up Threat.
    Note, You must authenticate by clicking the lock icon at the bottom of the Quarantine Manager window.
    Any threats that are cleaned up are cleared from the list.
  5. Click the Action Available column heading again to sort the list of threats.
  6. If there are any threats for which the action available is Restart, restart your Mac to complete the cleanup.
  7. Click the Action Available column heading again to sort the list of threats.
  8. If there are any threats for which the action available is Scan local drives, run 'Scan local drives'.
  9. Click the Action Available column heading again to sort the list of threats.
  10. If there are any threats for which the action available is Clean up, go back to step 3.
  11. If there are any threats for which the action available is 'Clean up manually', create a custom scan, as described in the product Help.
  12. Select the areas where the remaining threats reside and add these to the Scan Items.
  13. In the Options tab, select 'Delete threat' from the drop down menu.
  14. Click Done.
  15. Run the scan.

4. NetWare computers

  1. Open the Sophos Anti-Virus for NetWare user interface.
  2. At the 'Main menu' select 'Immediate Mode' then 'Configuration'.
  3. In the 'Macro viruses' option select 'Disinfect'. In the 'Removal mode' option select 'No action'.
  4. Return to 'Immediate mode' and select 'Start'.
  5. Run repeated scans until no further viruses are reported.
  6. Go back to 'Immediate Mode', 'Configuration' and restore your previous options.

5. Linux computers

  1. Files on your Linux server infected with macro viruses can usually be disinfected by running SWEEP with the -di command line option.
    savscan -di
  2. Run another scan to ensure that the virus has been removed.

6. UNIX computers

  1. Files on your UNIX server infected with macro viruses can usually be disinfected by running SWEEP with the -di command line option.
    sweep -di
  2. Run another scan to ensure that the virus has been removed.

7. OpenVMS computers

  1. Run VSWEEP from DCL using the command line qualifier '/DI'.
  2. Run a second scan to ensure that any virus has been removed. You should get the message 'No viruses found'.
    If a virus fragment is reported in a file please send us a sample for analysis. It could be a corrupted virus or a new variant. An exact match is needed for disinfection.

 
Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente

Commenti