These notes describe how to use the command line version of the Sophos Anti-Rootkit tool to remove rootkits from networked Windows NT/2000/XP/2003 computers, and to prevent reinfection across the network during this process.
Note: You cannot use the graphical user interface (GUI) version of Sophos Anti-Rootkit for network disinfection.
What To Do
- Preparing to run Sophos Anti-Rootkit
- Using Sophos Anti-Rootkit on a small network
- Running Sophos Anti-Rootkit on large networks
The command line version of the Sophos Anti-Rootkit tool can be used over a network to remove rootkits from Windows NT/2000/XP/2003 computers.
- System requirements
The Sophos Anti-Rootkit tool is only available for Windows NT/2000/XP/2003 computers. See the user manual for details.
- Individual computers
If you are cleaning an individual computer, use the Windows tool sargui.exe on the computer individually. That tool is available in the same download as the command line tool. See the user manual for details.
If the computer has valuable data on it, back up the data to CD or DVD before removing any malicious software.
Sophos Anti-Rootkit removes rootkits only. You should subsequently scan your computers with anti-virus software to remove any Trojans, etc., that the rootkit may have placed there.
- Files you will need
- the Sophos Anti-Rookit files (including the command line utility sarcli.exe)
- anti-virus software (to remove any dropped malware files).
- Further information
Read these notes completely before starting to disinfect your computers.
Detach the infected network from the internet by shutting down the router, etc. If necessary, remove the connecting plug. Most malicious programs spread over the internet, so this will protect against further infection.
Then, on an uninfected computer, prepare a write-protected copy of the anti-rootkit tool on a CD or other write-protected medium:
- Download Sophos Anti-Rootkit.
- Double-click the downloaded file to extract the contents into a folder called SOPHTEMP.
- Copy the contents of the SOPHTEMP folder to a medium that can be write-protected (the example here uses a CD).
- Write-protect the disk (e.g. on a CD/R or CD/RW, close the session).
If you have a small network (up to 30 computers), or a peer-to-peer network, you should clean the computers individually. Run the graphical user interface (GUI) version of Sophos Anti-Rootkit from the CD that you made on each computer in turn.
Note: If you have a peer-to-peer network (workgroup) you will have to use this method as your clients will not have a login script.
To run network disinfection, use the command line version of the Sophos Anti-Rootkit tool.
Check to see if the rootkit is only present on a few computers, or if it has spread to your domain controller.
Warning: Do not reboot or log off the Domain Controller during network cleaning. It might become infected.
For the purposes of these notes all computers except the Domain Controller are workstations.
- Create a C:\SOPHTEMP folder on the Domain Controller and copy in the contents of your Sophos Anti-Rootkit CD.
- Share the C:\SOPHTEMP folder over the network as a read-only share.
- Backup the login script for all of your workstations. (If necessary, create one.) Then add this line to it
where [SERVER] is the name of your Domain Controller.
This change to your login script will scan your workstations for rootkits, and create the log file %TEMP%\sarscan.log, where %TEMP% is the Windows temporary directory of the scanned workstation.
- Force a log off and log on of all workstations on your network except the Domain Controller.
- Using a domain administrator account, check that the file sarscan.log is present in the Windows temporary directory of all of your networked Windows NT/2000/XP/2003 workstations.
- Note the size of the log file produced by an uninfected workstation, and the name of that workstation (here 'Canary'). This information will be used to check which workstations are infected.
- As workstation locale may affect the size of an 'empty' file, you may need to use more than one indicator workstation.
- Alternatively, you could use a script (e.g. a batch file, or Perl or Python script) to check the sarscan.log file on your workstations for the presence of the words "Hidden:", "Error:" and "Warning:".
- Check the contents of the file sarscan.log on a representative sample of your workstations.
- Ensure that no files that you will want to keep are flagged for removal. If they are, contact Sophos support with a sample of the file samples.sar from the Windows temporary directory of the workstation involved.
- Check to see if any files will not be cleaned up. Find out what they are, if so.
- Once you are satisfied that automatic removal will not delete any valuable files, and that cleanup will not be jeopardized by files that are not removed, edit the line in your login script to remove the rootkit from your workstations.
\\[SERVER]\SOPHTEMP\SARCLI.EXE -clean -restart
- scan running processes for hidden items
- scan the Windows registry for hidden items
- scan the local hard drives for hidden items
- append scan information to the existing sarscan log
- restart the workstation to clean up all hidden items recommended for removal (the workstation will only be restarted if a rootkit is found)
- on an infected workstation, create the log file %TEMP%\sarclean.log, where %TEMP% is the Windows temporary directory of that workstation. (If you run a second cleaning scan this log will be overwritten.)
- Force a log off and log on of all computers on your network except the Domain Controller to run the edited login script. Any infected workstations will be rebooted by the tool during the cleaning process.
- Using a domain administrator account, check the sarclean.log files in the temporary directory of all cleaned workstations.
- Check the new size of the sarscan.log file on your uninfected workstation ('Canary').
- Examine carefully all workstations that have a sarscan.log file of a different size, and no sarclean.log file. (Alternatively, use a script to check for the words "Hidden:", "Error:" or "Warning:" in the logs.)
- Edit the line in your login script to run a final scan to ensure that all components have been removed from your workstations.
- Using a domain administrator account, check the size of the new sarscan1.log files. They should all be the same size as the one on Canary (i.e. empty).
- After running Sophos Anti-Rootkit to remove the rootkit you should:
- Purge System Restore on all affected Windows XP computers.
- Check your software or hardware firewall to ensure that it is running correctly.
- Check that your anti-virus software is running correctly.
- Ensure that your network is up to date with Microsoft patches.
- Change any usernames and passwords that may have become compromised.
- Run a network-wide scan with your anti-virus software to ensure that all computers are now free of infection. A knowledgebase article describes how to do this with Enterprise Console.
- Use anti-virus software to check that any computers running other operating systems (e.g. Windows 95/98/Me), and any network shares, are free from dropped rootkit files.
- Check computers that are not part of your main network (e.g. laptops, and computers connecting over the internet).
- Once you are confident that the rootkit has gone
- Remove the SARCLI.EXE line from your login script.
- Unshare the SOPHTEMP folder on the domain controller.