Antivirus and Security Software from Sophos

Psst, Mac user! We have a free Mac anti-virus just for you.

Online support

Product maintenance

Contact support

Support services

Resource centers

UK IT Security Events

Get the low-down on our cup winning security solutions to provide you with a defence dream team

Collecting samples blocked by on-access scanning

This method can be used for collecting samples of files otherwise blocked by on-access scanning, for example 'Mal/' files. You can then submit the file to SophosLabs for further analysis.

Known to apply to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+ 9.5.0
Sophos Anti-Virus for Windows 2000+ 9.7.0

What to do

Provided that the file is still present on the computer, you can set up an on-demand scan to capture it safely.

Unless the file that you want to capture is on removable media (CDs, floppy disks, USB cards, etc.), remove all such items from the computer before starting.

Windows 2000/XP/2003/Vista

These instructions assume that you are using Sophos Anti-Virus for Windows 2000+, version 5 or above.

  1. Log onto the computer with administrator rights.
  2. Open Sophos Anti-Virus.
  3. Select 'Set up a new scan'.
  4. Select all drives marked 'Local disk'. (Alternatively, select 'My Computer', but the scan may take longer.)
  5. Select 'Configure this scan'.
  6. In the 'Individual scan settings' dialog, select the Cleanup tab.
  7. Deselect 'Automatically cleanup items that contain a virus' if it has been enabled.
  8. Select 'Move to'. (If you use a non-default location, make a note of it.) The default locations are:
    • Windows operating systems pre-Vista
      C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
    • Windows Vista\2008\7
      C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED
  9. Click 'OK'.
  10. Click 'Save and start'.
  11. Wait for the scan to finish.

Any files found will be saved with a file extension that prevents them from being run.

Note: The 'INFECTED' folder is a hidden folder. You may need to make it visible.

As the Sophos on-access scanner will intercept the file when you attempt to upload it to the Sophos website, you will need to exclude that file from on-access scanning.

  1. In the Sophos Anti-Virus home page, select 'Configure Sophos Anti-Virus'.
  2. Select 'On-access scanning'.
  3. Select the Exclusions tab.
  4. Click 'Add'.
  5. In the 'Exclude item' dialog, in the 'Item type' dropdown list, select File.
  6. Click 'Browse'.
  7. Browse to one of the following:
    • Default on Windows operating systems pre-Vista,
      the default is, C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
    • Default on Windows Vista\2008\7,
      the default is, C:\Program Data\Sophos\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
    • Non-default
      your alternative folder if you did not use the default
    If the 'Application Data' folder is not visible, you must adjust your settings so you can view it.
  8. Select your infected file (it will have a name similar to 'program.exe.000').
  9. Click 'OK'.
  10. Repeat this process for any other infected files.
  11. When you have finished excluding files, click 'OK' to save your exclusions list.

You can now upload the file to the Sophos website. Note that the web submission channel uses HTTPS and encryption and therefore complies with regulations for secure data exchange.

  1. Open a web browser.
  2. Browse to http://www.sophos.com/support/samples/.
  3. Enter your details and click 'Continue'.
  4. In the 'Operating system' dropdown list, select the operating system of the affected computer.
  5. In the 'Why do you want to send this sample?' field
    • give the reported analysis name (e.g. Mal/Dload-A)
    • say "Submitting file for further analysis".
  6. Click 'Continue'.
  7. Click 'Browse'.
  8. Browse to one of the following
    • Windows operating systems pre-Vista,
      the default is, C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
    • Windows Vista\2008\7,
      the default is, C:\Program Data\Sophos\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
    • your alternative folder if you did not use the default.
  9. Select the file.
  10. Click 'Open'.
  11. If you have any further files to submit, click 'Upload another file'. Otherwise, click 'Submit'.

Your file will be submitted for analysis.

After you have submitted the file, you should remove the on-access exclusion from that file.

  1. In the Sophos Anti-Virus home page, select 'Configure Sophos Anti-Virus'.
  2. Select 'On-access scanning'.
  3. Select the Exclusions tab.
  4. Select the exclusion that you want to remove.
  5. Click 'Remove'.
  6. Repeat this process for any other exclusions you need to remove.
  7. Click 'OK' to save your exclusions list.

If you need more information or guidance, then please contact technical support.