In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Collecting samples blocked by on-access scanning

This method can be used for collecting samples of files otherwise blocked by on-access scanning, for example 'Mal/' files. You can then submit the file to SophosLabs for further analysis.

What to do

Provided that the file is still present on the computer, you can set up an on-demand scan to capture it safely.

Unless the file that you want to capture is on removable media (CDs, floppy disks, USB cards, etc.), remove all such items from the computer before starting.

Windows 2000/XP/2003/Vista

These instructions assume that you are using Sophos Anti-Virus for Windows 2000+, version 5 or above.

1. Log onto the computer with administrator rights.
2. Open Sophos Anti-Virus.
3. Select 'Set up a new scan'.
4. Select all drives marked 'Local disk'. (Alternatively, select 'My Computer', but the scan may take longer.)
5. Select 'Configure this scan'.
6. In the 'Individual scan settings' dialog, select the Cleanup tab.
7. Deselect 'Automatically cleanup items that contain a virus' if it has been enabled.
8. Select 'Move to'. (If you use a non-default location, make a note of it.) The default locations are:
   • Windows operating systems except Vista  
     C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
   • Windows Vista
     C:\Program Data\Sophos\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
9. Click 'OK'.
10. Click 'Save and start'.
11. Wait for the scan to finish.

Any files found will be saved with a file extension that prevents them from being run.

Note: The 'INFECTED' folder is a hidden folder. You may need to make it visible.

As the Sophos on-access scanner will intercept the file when you attempt to upload it to the Sophos website, you will need to exclude that file from on-access scanning.

1. In the Sophos Anti-Virus home page, select 'Configure Sophos Anti-Virus'.
2. Select 'On-access scanning'.
3. Select the Exclusions tab.
4. Click 'Add'.
5. In the 'Exclude item' dialog, in the 'Item type' dropdown list, select File.
6. Click 'Browse'.
7. Browse to one of the following: 
   • Default on Windows operating systems except Vista,  
     the default is, C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
   • Default on Windows Vista,
     the default is, C:\Program Data\Sophos\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
   • Non-default
     your alternative folder if you did not use the default 
   If the 'Application Data' folder is not visible, you must adjust your settings so you can view it.
8. Select your infected file (it will have a name similar to 'program.exe.000').
9. Click 'OK'.
10. Repeat this process for any other infected files.
11. When you have finished excluding files, click 'OK' to save your exclusions list.

You can now upload the file to the Sophos website.

1. Open a web browser.
2. Browse to http://www.sophos.com/support/samples/.
3. Enter your details and click 'Continue'.
4. In the 'Operating system' dropdown list, select the operating system of the affected computer.
5. In the 'Why do you want to send this sample?' field
   • give the reported analysis name (e.g. Mal/Dload-A)
   • say "Submitting file for further analysis".
6. Click 'Continue'.
7. Click 'Browse'.
8. Browse to one of the following 
   • Windows operating systems except Vista,  
     the default is, C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
   • Windows Vista,
     the default is, C:\Program Data\Sophos\All Users\Application Data\Sophos\Sophos Anti-Virus\INFECTED
   • your alternative folder if you did not use the default.
9. Select the file.
10. Click 'Open'.
11. If you have any further files to submit, click 'Upload another file'. Otherwise, click 'Submit'.

Your file will be submitted for analysis.

---

After you have submitted the file, you should remove the on-access exclusion from that file.

1. In the Sophos Anti-Virus home page, select 'Configure Sophos Anti-Virus'.
2. Select 'On-access scanning'.
3. Select the Exclusions tab.
4. Select the exclusion that you want to remove.
5. Click 'Remove'.
6. Repeat this process for any other exclusions you need to remove.
7. Click 'OK' to save your exclusions list.

If you need more information or guidance, then please contact technical support.

• Article ID: 17327
• Created: 21 Sep 2006
• Last updated: 27 Nov 2006

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement