Using the Sophos Bootable Anti-Virus (SBAV) tool on an infected computer

  • Article ID: 52053
  • Rating:
  • 76 customers rated this article 4.3 out of 6
  • Updated: 05 Oct 2015

This article provides answers to frequently asked questions on the Sophos Bootable Anti-Virus tool (SBAV).

Applies to the following Sophos product(s) and version(s)
Sophos Bootable Anti-Virus

Operating systems

What is SBAV?

The Sophos Bootable Anti-Virus (SBAV) tool allows you to scan and cleanup a computer infected with malware without the need to load the infected operating system installed onto the local hard drive of a computer. This is useful if the state of the computer's normal operating system - when booted - prevents cleanup from by other means, or the Master Boot Record (MBR) of the computer's hard drive is infected.

SBAV should not be used as a first response cleanup tool unless advised by Support.  Other tools, such as the Sophos Anti-Virus Removal Tool or SAV32CLI should be tried before SBAV.

A few caveats about SBAV:

  • it cannot be used on computers with RAID configurations.  Use SAV32CLI.
  • it cannot be used to scan encrypted disks.
  • it may not work with all processor types. If you encounter problems booting the affected computer, try the bootable CD/pen drive on a different computer. If it boots up successfully on the second computer, then the chipset of the first is not supported and we cannot add additional chipset support to the tool.
  • only use the tool for a week or two after downloading the ISO.  After this destroy the CD or format the USB pen drive and recreate a fresh ISO with the latest virus definition updates.

How does it work?

The SBAV program is provided free of charge as a Windows binary (.exe) file. To use it you must download the program to a Windows computer, install it, and then run one command.

The program will create an ISO file with the latest version of Sophos Anti-Virus for Linux including all recent virus protection updates. You can then use this tool to boot a computer into a minimal Linux-based operating system and run a scan of the computer. This bypasses the local operating system, no malware can be loaded, and cleanup is possible.

How do I create the tool?

Steps for creating a bootable CD are available in article 52011. If you prefer to create a bootable USB pen drive with the tool installed see article 111374.

How do I get the computer to boot from the CD or USB drive?

During the first seconds after the computer is switched on the computer will accept a key press that, if performed immediately, will display a boot menu. An example is shown below ('vmware' logo would normally be replaced by the computer's manufacturer like Lenovo, Asus, Dell, Toshiba, HP, etc.)

The boot menu, once displayed will look similar to this:

The exact key you have to press can be different on different computers. You have to read the screen (don't blink) during startup and see what it is on your computer. Commonly the F12 key and Esc key are used.

You will not have very long to read the screen and the key press has to occur with a few seconds otherwise the computer will boot normally and this will most like be the hard drive.

Using the one-time change boot menu is the quicker and safer option, but there is another way to alter the boot order. The order of boot devices is controlled by the computer BIOS configuration. During the first few seconds you can also enter the BIOS and check the boot order. Example:

Again the key used to access the BIOS is shown briefly at startup. The F2 key and the Del/Delete key are common choices. In the BIOS there is normally a 'boot' section and there are normally on-screen instructions provided for how to change the boot order.

In the BIOS you are setting the boot order for every future boot (until changed again) whereas the boot menu mentioned previously only changes the boot device for the very next startup. There is no harm in setting the computer to boot, for example, from USB first, then CD second, and then finally the local hard drive - even if you normally boot from the hard drive. This is because, as long as there is no USB drive attached, nor CD disc in the drive - that are set to be bootable and most are not set like this - the computer will quickly skip over the first two options and boot from the hard drive as normal.

When you see the 'SLAX' Linux boot screen you know the tool is loading...

Wait for it to fully load and showing the 'Main Menu' screen (shown below). It may take a few minutes to appear and it is normal for the screen to stop showing progress for short periods.

How do run the tool?

When the tool has fully loaded you will see the 'Main Menu'. Example:

You can use the up and down arrow keys on the keyboard to move up and down the list of options, or select the corresponding white letter to jump to the option required, and then press enter - or the right arrow key - to select the item.

The main menu has two categories of scans - 'Recommended' and 'Advanced'. The right scan depends on your situation.

If you need, or have been asked, to start investigating whether undetected malware is present on your computer under 'Sophos Recommended Scans' use 'Scan for viruses (detect only)'...

...which will only check the hard drive and log the results for later analysis.

The 'Rename infected files' scan - which appears above the detect only scan in the menu - allows a scan to be run and infected files only have their name changed. This can sometimes be enough to stop the malware from running when you boot back into your normal operating system and also allows for samples of the malware to be collected and submitted to SophosLabs for analysis. However the malware is not removed so unless you have been asked to collect samples move to the 'Sophos Advanced Scans' option.

Under the advanced scans option you have a choice of scans to either 'delete' or 'disinfect' viruses...

The recommended scan here is the lower one labeled 'Disinfect viruses'. This scan will delete completely (100%) malicious files as well as remove just the malware portion of a personal or operating system file that has become infected if it is able to.

If the computer's hard drive has a lot of files the scan may take a long time.  During the scan do not touch the computer's keyboard.  At the end of the scan it will prompt you to press return to return to the Main Menu (Pdmenu).  After a scan you can select the 'Display scan...log' option for that scan and review the scan log.

Once finished with the tool you should properly reboot the computer using the 'Reboot' option from the Main Menu.

What are the advanced options?

There are two advanced options in the Main Menu.

  • Keyboard layout: you can use this to change the keyboard layout from UK to US for use with the Bash Shell.
  • Bash Shell: this option is for Linux Administrators only, as it requires input and knowledge of Linux commands. Use this option only if you are a confident Linux user.

How do I view and access the scan log?

For each scan option there is also an option to view the scan log.  If you are familiar with using a Linux Terminal (command line) you can access the text file logs in the /tmp/ folder using the advanced bash shell option.  If you need to copy the logs from the temporary folder (/tmp/) to a USB drive see article 122467.

Help! I need more help with configuring or running the tool.

SBAV is a free tool and as such there is no telephone or email support - unless a Sophos support engineer has asked that you to use the tool in the course of a support ticket. If you have a question post it to our community.

Watch the video on SBAV

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent