In this section

• Home
• Support
• Virus disinfection

• Global support information
• Contact support
• Knowledgebase
• Virus disinfection
• Downloads and updates
• Documentation
• Software lifecycle
• Send a sample

• Global Support Services
• Technical Support
• Professional Services
• Technical Training

Removing infected executable files

1. Using Enterprise Console
2. Sophos Anti-Virus for Windows, version 6
3. Windows 95/98/Me
4. Macintosh OS X computers
5. NetWare
6. Linux
7. UNIX
8. OpenVMS

1. Using Enterprise Console

You can remove infected executable files over a network using Enterprise Console.

2. Sophos Anti-Virus for Windows, version 6

To remove an infected executable file:

• Check the threat analysis for details on the virus and its removal.
• Back up any important data on the hard drive.
• Close down all programs.
• Go to Start|Programs|Sophos Anti-Virus and run the 'Sophos Anti-Virus' program.
• In the 'Available scans' list, select the scan for which you want to enable disinfection. (Do not select a scheduled scan, as you will not be able to run this manually.)
• Click Edit|'Configure this Scan'.
• On the Cleanup tab, select 'Automatically clean up items that contain a virus'. Click Apply|OK.
• Click 'Save and Start' to save the scan, and run it immediately.
• Make a note of the infected files from the on-screen log.
• Delete the files. Run another scan for viruses. Replace the files with 'clean' versions from the original installation media or a clean PC.
• Click Edit|'Configure this Scan'.
• Select the Cleanup tab and deselect 'Automatically clean up items that contain a virus'. Click Apply|OK

If Sophos Anti-Virus cannot delete files because they are held open by the operating system, make a note of the names of the files, then do as follows.

1. Download an emergency copy of SAV32CLI. On an uninfected Windows computer, run this file to extract the contents into a SAV32CLI folder on a medium that can be write-protected. Copy the SAV32CLI folder produced onto a medium that can be write-protected. Add any relevant IDEs to this folder and write-protect the disk (on a CD/R or CD/RW close the session).
2. Restart the computer in Safe Mode. Go to Start|Shut Down. Select 'Restart' from the dropdown list and click 'OK'. Windows will restart. Press F8 when you see the following text at the bottom of the screen 'For troubleshooting and advanced startup options for Windows 2000, press F8'. In the Windows 2000 Advanced Options Menu select the third option 'Safe Mode with Command Prompt'.
3. At the infected computer, place the CD in the CD drive (D: in this example).
4. At the command prompt type
   D:
   to access the CD drive. Type:
   CD SAV32CLI
   Then type:
   SAV32CLI -REMOVE -P=C:\LOGFILE.TXT to remove the virus.
5. Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions.
6. Replace the infected files with 'clean' versions from the original installation media or a clean PC.
7. If problems persist, contact support.

3. Windows 95/98/Me

To remove an infected executable file:

• Check the threat analysis for details on the virus and its removal.
• Back up any important data on the hard drive.
• Close down all programs.
• Go to Start|Programs|Sophos Anti-Virus and run the Sophos Anti-Virus program.
• Select the Immediate tab.
• Go to Options|Configuration... select the Action tab, select 'Infected files', select 'Move', then click 'OK'.
• Click the Go button on the toolbar to start the scan.
• Make a note of the infected files from the on-screen log.
• Delete the files. Run another scan for viruses. Replace the files with 'clean' versions from the original installation media or a clean PC.
• Go to Options|Configuration... select the Action tab, uncheck 'Infected files', deselect 'Move', then click 'OK'

If the virus is memory resident or the files cannot be removed because they are held open by the operating system:

• Reboot the PC from a clean startup or system disk.
• Delete and replace the file manually, or using the following DOS instructions:

You will need SWEEP for DOS on floppy disk. To do this, make a set of Emergency SAV disks.

• Check the threat analysis for details on the virus and its removal.
• Back up any important data on the hard drive.
• Reboot your PC from a clean system disk, put the 'SWEEP for DOS' disk in the floppy drive and at the A: prompt type:
  

  SWEEP *:

• Make a note of the infected files.
• Delete the infected files using
  

  SWEEP *: -REMOVEF

• Restore the infected files from the original installation media or a clean PC.

4. Macintosh OS X computers

To remove an infected executable file:

• Check the threat analysis for details on the virus and its removal.
• Close down all programs.
• Run the Sophos Anti-Virus program.
• Click the green 'Play' arrow button.
• Make a note of the infected files.
• Go to 'Sophos Anti-Virus preferences'.
• Choose 'Disinfection' from the 'Immediate Mode' menu.
• Select 'Infected Files' and 'Delete'.
• Close 'Sophos Anti-Virus preferences'.
• Click the green 'Play' arrow button.
• Click 'OK' when asked if files should be deleted.
• Run another scan to ensure that the executable has been removed.
• Go back to 'Disinfection' and deselect 'Infected Files' and 'Delete'.
• Replace the files with 'clean' versions from the original installation media or a clean Macintosh.
• If problems persist, contact support.

5. NetWare

Infected executables can be quarantined, renamed (so they cannot be executed), deleted, purged, or copied with non-executable filenames.

Note: This method of removal will also apply to documents infected with macro viruses.

• Check the threat analysis for details on the virus and its removal.
• Run a scan to locate all the infected executables and make a note of them.
• Choose your preferred method of removal in the 'Removal mode' option of the Immediate Mode menu.
• Delete the infected files and restore them from the original installation media or a backup.

6. Linux

• Check the threat analysis for details on the virus and its removal.
• Run a scan to locate all the infected executables and make a note of them.
  
• Use savscan with the -remove option
  

  savscan -remove

• Run a scan to check that all files were deleted. Replace them with 'clean' versions from the original installation media or a clean computer.

7. UNIX

• Check the threat analysis for details on the virus and its removal.
• Run a scan to locate all the infected executables and make a note of them.
• Use SWEEP with the -remove option
  

  sweep -remove

• Run a scan to check that all infected files were deleted. Replace them with 'clean' versions from the original installation media or a clean computer.

8. OpenVMS

• Check the threat analysis for details on the virus and its removal.
• Run VSWEEP from DCL using the command line qualifier '/VF' to write the names of any infected files to the file SWEEP.VIR.
• Use SWEEP.VIR to identify infected executables for replacement.
• Delete the infected executables, either by using the DCL command DELETE/ERASE, or by running VSWEEP from DCL using the command line qualifier '/REMOVEF'.
• Note: '/REMOVEF' does not prompt for confirmation before deletion and should be used with caution.
• Restore the deleted executables from the originals or from sound backups.

For details on the use of these command line qualifiers and sample batch files using them, see the Sophos Anti-Virus for OpenVMS manual.