How to remove malicious files with SAV32CLI

  • ID dell'articolo: 13251
  • Valutazione:
  • 45 di clienti ha valutato questo articolo 4.8 su 6
  • Aggiornato il: 15 mag 2016


This article explains how to remove malware using the Sophos Anti-Virus 32-bit command line interface (SAV32CLI) on Windows. This procedure involves rebooting into a low-level diagnostic mode that does not require the full operating system to be running (safe mode).

The following sections are covered:

Applies to the following Sophos product(s) and version(s)

Sophos Endpoint Security and Control


How to remove malicious files with SAV32CLI

1. Back up important data

If the infected computer has valuable data on it, back up the data to CD or DVD or a USB device before removing any malicious software. The infection might deteriorate to a point where you could no longer access the operating system, or you may damage the computer during disinfection.  Ensure any back ups are fully scanned by Sophos Anti-Virus to ensure no malware is contained within them.

2a. Ensure your SAV32CLI is up to date

To ensure SAV32CLI is up to date with the latest threat identity files, check that your local copy of SAV for Windows is up to date. Do the following:

  1. From the computer's desktop, right-click the Sophos shield from the bottom right corner and then select Open Sophos Endpoint Security & Control.
    If a User Account Control prompt appears, select Yes to open the program.

  2. From the left hand Status panel, ensure that the Last updated date is recent.

If the date shown is recent and you intend to scan the computer using the locally installed copy of Sophos Anti-Virus, go to step 3

If the date shown is not recent, the latest detection and cleanup information will not be available during a scan, hence it is important to resolve any problems with the installation before continuing.  If the installation has not been updated/able to update for some time, or the installed program is not functioning correctly, we recommend running SAV32CLI from a CD-ROM, or similar write-protected media, that is obtained from the installation of SAV for Windows running on an uninfected computer - see step 2b.

2b. Obtain a copy of SAV32CLI from an up-to-date computer

NOTE:  If the locally installed copy of Sophos Anti-Virus for Windows is up-to-date and you intend to run a scan using the locally installed copy, you do not need to run SAV32CLI from an external media.  Ensure you have followed step 2a above and then proceed to step 3.

To obtain a copy of the SAV32CLI program you need to have available another computer which is not infected with malware and running an up-to-date copy of Sophos Anti-Virus for Windows.  The process involves copying the Sophos Anti-Virus folder from the other computer to a write-protected media. Therefore you will need either:

  • a blank CD-R disc and the other, up-to-date, computer to have the ability to write (burn) a CD-R.
    The infected computer will also need a CD-ROM or DVD drive to read the disc.


  • an external storage device, such as a USB thumb drive or memory card.  This should have the ability to be write-protected so that when inserted into the infected computer, no additional files can be written to it.  Some USB thumb drives offer a write-protection switch as do many SD cards.
    WARNING: If a write-protected option is not available, malicious files from the infected computer could be written or transferred to the drive when it is inserted into that computer. If the drive is then inserted into another computer, the malware could transfer to that computer spreading the infection.

How to obtain a copy of SAV32CLI

  1. Move to the uninfected, up-to-date, Windows computer.

  2. Insert your chosen external media (CD-R, USB drive/memory card, etc).

  3. Copy the C:\Program Files (x86)\Sophos\Sophos Anti-Virus\ folder to the root (top-level) of the media.
    NOTE: Program Files (x86) will be Program Files for 32-bit computers.

  4. Burn the CD-R (using your normal method) or eject the USB drive/memory card.

  5. If you are not using a CD-R, set the write-protection switch on the USB drive or memory card. If the drive does not have a write-protection option, we do not recommend it be used.  However for emergency situations you may decide to proceed. In these cases do not trust the card after removal from the infected computer. The card should be fully formatted after removal and scanned by Sophos Anti-Virus from a suitable computer (e.g., a Mac or Linux computer that cannot be infected with malware designed for Windows, or from a Windows computer that is disconnected from your network and configured for best protection).  In all cases the computer used to scan the drive should have an up-to-date copy of Sophos Anti-Virus installed, be fully patched regarding operating system updates, and contain no valuable data/information that is not fully backed up to an external source.

3. Disable all network connections

Unplug the network cable from the computer and switch off the WiFi connection.

4. Reboot in safe mode

It is possible to run SAV32CLI from an administrator command prompt from your computer desktop while it is booted in the normal way.

However, we recommend rebooting the computer into safe mode to minimize the chance of any malware present on your computer from being allowed to run and hence increase the chances of the malware being removed.

To enter safe mode, switch off your computer, switch it back on, and in the first moments of life, press F8, which will show the Windows Error Recovery window and a selection of boot methods.  From the menu, select Safe Mode and press Enter.

NOTE: Since SAV32CLI is only a command line program, Safe Mode with Command Prompt is all that is required. Selecting Safe Mode, which loads a basic graphical desktop, is acceptable but you must then open a command prompt to run the program. However Safe Mode does provide a familiar method of file and folder navigation as Windows Explorer is available.

5. Run SAV32CLI in safe mode

Based on your decision from section two above you may be running SAV32CLI from the local installation or from write-protected media.  Follow the steps below depending on your decision.  If you have loaded a graphical desktop open a command prompt from the menu. For example:

5a. Run SAV32CLI from the installed copy of SAV for Windows

From the command prompt, do the following:

  1. Change directory to the folder containing the SAV32CLI program:
    • 32-bit computer: cd C:\Program Files\Sophos\Sophos Anti-Virus\
    • 64-bit computer: cd C:\Program Files (x86)\Sophos\Sophos Anti-Virus\

  2. Type the following command:
    sav32cli.exe -remove -p=C:\sav32cliscan.txt

    If the command prompt shows sav32cli.exe is not recognized..., you are currently not in the folder containing the program. Go back and review step 1 above. The command will scan and remove files.
    For further scan options, see Scanning options with SAV32CLI.

  3. During the scan, press Y (for Yes) when prompted to remove a malicious file.

5b. Run SAV32CLI from write-protected media

Insert the CD-ROM or USB pen drive/memory card into the computer, and then from the command prompt do the following:

  1. Change the drive letter to the one associated with the CD-ROM or drive containing the copy of SAV32CLI.  
    Open Windows Explorer and check drive letter shown there.

    For example to change to the E drive type E: (only the letter and colon) then press Enter.

  2. Once the correct drive is selected, change directory to the folder containing the SAV32CLI program.  If you followed step 2b above, you will see a Sophos Anti-Virus folder at the top level of the drive.  

    Type cd Sophos Anti-Virus to enter that folder.

    An example of a Sophos Anti-Virus folder at the top level of a USB drive as shown in Windows Explorer in safe mode:

  3. Type the following command:
    sav32cli.exe -remove -p=C:\sav32cliscan.txt

    If the command prompt shows sav32cli.exe' is not recognized... you are currently not in the folder containing the program.  Go back and review steps 1 and 2 above. The command will scan and remove files.
    For further scan options, see Scanning options with SAV32CLI.

  4. During the scan press Y (for Yes) when prompted to remove a malicious file.

6. Additional instructions for manual cleanup

Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions.
To open the Registry Editor, click Start and then type regedit' in the search field.  
Read the warning about editing the registry before making any changes.

Related information

Feedback and contact

If you've spotted an error or would like to provide feedback on this article, please contact the KBTeam.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Per maggiori informazioni o per assistenza, vi preghiamo di contattare il supporto tecnico.

Valutate l'articolo

Molto scadente Eccellente