Sophos Anti-Virus for Windows 2000+: significant files and registry entries
Significant files
| SavService.exe | Vdl.dat |
| Vdl01.vdb-vdlxx.vdb | |
| Xxxxxxx.ide | |
| SAVI.dll | |
| Sav32cli.exe | Savonaccesscontrol.sys and savonaccessfilter.sys |
| Veex.dll |
| Machine Global Configuration Files | User Configuration Files |
Significant registry keys
Significant files
| SavService.exe | This is the main Sophos Anti-Virus service that interfaces with the drivers and the user interface. SavService.exe performs virus scanning and disinfection functions. Location: C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe User/Account:
|
| SAVAdminService.exe | This provides information about anti-virus protection to Windows Control Center. Location: C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe |
| SavMain.exe | This is the graphical interface to Sophos Anti-Virus, through which the application is configured and controlled locally. Location: C:\Program Files\Sophos\Sophos Anti-Virus\SavMain.exe The account that launches this executable (typically the logged on user) is checked against the groups in: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\machine.xml to determine what access rights the user has. There are three Sophos Anti-Virus groups:
To confirm the SIDs assigned to the user groups, type |
| BackgroundScanClient.exe | This is used to launch scheduled scans. Location: C:\Program Files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe Scheduled jobs are scheduled using the Windows task scheduler. For example: "C:\Program Files\Sophos\Sophos AntiVirus\BackgroundScanClient.exe" {F6EA4C73EBE14F1CA3B9B1B869027F56} Where: {F6EA4C73-EBE1-4F1C-A3B9-B1B869027F56} is a GUID found within theconfiguration files describing the configuration to run the scan with. |
| Sav32cli.exe | The command line scanner capable of performing scans, disinfections and removal of viruses. Location: C:\Program Files\Sophos\Sophos Anti-Virus\sav32cli.exe For a full list of functionality run:sav32cli -h from the command prompt. |
| Veex.dll | This is the virus engine. Location: C:\Program Files\Sophos\Sophos Anti-Virus\veex.dll |
| Vdl.dat | This is the index file for the virus definition files. It also contains the virus data set version. Location: C:\Program Files\Sophos\Sophos Anti-Virus\vdl.dat |
| Vdl01.vdb- vdlxx.vdb | These are the virus definitions; each file is approximately 300 to 400 KB. Location: C:\Program Files\Sophos\Sophos Anti-Virus\vdl01.vdb |
| Xxxxxxx.ide | These are the supplementary detection files. Location: C:\Program Files\Sophos\Sophos Anti-Virus\xxxxxxx.ide |
| SAVI.dll | This is the Sophos Anti-Virus Interface. Location: C:\Program Files\Sophos\Sophos Anti-Virus\SAVI.dll It provides the interface through which third parties and Sophos Anti-Virus call the virus engine. SAVI.dll essentially passes back codes to the calling application in order to make decisions on the files. |
| Savonaccesscontrol.sys and savonaccessfilter.sys | These files are the file system drivers, which enable Sophos Anti-Virus to hook file access. Location: %windir%\system32\drivers\savonaccesscontrol.sys and %windir%\system32\drivers\savonaccessfilter.sys The stack can be represented as: Savmain.exe |
Machine global configuration files
Configuration files are split between individual users on the system and the global settings.
Machine global files can be found at: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\
| machine.xml | This is the main configuration file, relating to scanning options, user groups, scheduled scans, etc. Location: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\ |
| Sav.txt | This is the default log file. Location: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\ |
| Temp folder | This folder is used as a temporary location to extract archives to prior to scanning. Location: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Temp\ |
| Infected folder | The default location when choosing "move to" as an action to deal with viruses. Location: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos AntiVirus\INFECTED\ |
User files can be found at: C:\Documents and Settings\<username>\Local Settings\ApplicationData\Sophos\Sophos Anti-Virus\
| User.xml | This file contains configurations regarding scans the user has set up, such as right click scan configurations and saved scan configurations. Location: C:\Documents and Settings\<username>\Local Settings\ApplicationData\Sophos\Sophos Anti-Virus\Config\user.xml |
| Right-Click Scan.txt, | These files log the activities of user-created scans. Location: C:\Documents and Settings\<username>\Local Settings\Application Data\Sophos\Sophos Anti-Virus\logs\ |
Significant Registry Keys
HKLM\SOFTWARE\Sophos\SAVI
This is where the keys are found that are used to store named values of the instances. For example,“SWEEP CLI for Win32/Intel” for the command line scanner sav32cli.exe
HKLM\SOFTWARE\Sophos\SAVService
This part of the registry contains the install path and temp directory path, along with the list of component names
HKLM\SYSTEM\CurrentControlSet\Services\SAVOnAccess Control
and HKLM\SYSTEM\CurrentControlSet\Services\SAVOnAccess Filter
These are the driver start-up keys. The values for ‘start’ are:
| Value | Meaning | Note |
| 0 | Boot | Earliest |
| 1 | Service Start | Default |
| 2 | Auto Start | Start after other services and filter drives |
| 3 | Manual Start | The filter driver may be started using a batch file |
| 4 | Disabled | Disabled |
HKLM\SYSTEM\CurrentControlSet\Services\SAVService
This is the registry key for the “Sophos Anti-Virus” service. Allows the Windows Service Control Manager to start the service.
HKLM\SYSTEM\CurrentControlSet\Services\SAVAdminService
This is the registry key for the “Sophos Anti-Virus status reporter” service. It allows the Windows Service Control Manager to start the service.
HKCU\Software\Sophos\Sophos Anti-Virus
The logged on user’s graphical user interface settings.
HKLM\Software\Sophos\SAVService\SetupOptions\SuppressCompetitorDetection
You can add this key, with a string value (REG_SZ type) and a value of 1 to stop the Sophos Competitor Removal Tool from running on deployment.
NOTE: The key name is case sensitive and must be entered as shown above. The data value is a STRING and not a DWORD.
HKLM\Software\Sophos\SAVService\SetupOptions\SuppressPreSavCDT
You can add this key, with a string value (REG_SZ type) and a value of 1 to stop the Sophos Competitor List Check from running on deployment.
NOTE: The key name is case sensitive and must be entered as shown above. The data value is a STRING and not a DWORD.
When set to zero, this key checks for competitor security software and reports on its presence, but does not attempt removal.
HKLM\Software\Sophos\SAVService\SetupOptions\DisableOnAccess
You can add this key, with a string value (REG_SZ type) and a value of 1 to disable on-access scanning.
To enable on-access scanning, set this key to zero.
System Event Log registry keys
The following registry entries are used to write information to the Event Log:
- HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\SophosAntiVirus
- HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\SAVOnAccessControl
- HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\System\SAVOnAccessFilter
If you need more information or guidance, then please contact technical support.
- Article ID: 36207
- Created: 25 Mar 2008
- Last updated: 29 Jul 2011
