Sophos Anti-Rootkit tool

  • Article ID: 17125
  • Rating:
  • 14 customers rated this article 3.6 out of 6
  • Updated: 14 Jan 2015

The Sophos Anti-Rootkit (SAR) tool is designed to assist Administrators in quickly establishing if there is a possibility of a rootkit infection on a machine.

Operating System

SAR is supported on the following operating systems:

  • Windows 2000 and above.
  • Windows XP and above.
  • Windows Vista and above.
  • Windows 7 and above.
  • Windows Server 2003 and above.
  • Windows Server 2008 and above.
  • The tool is supported on both 32-bit and 64bit versions of the above Windows OS.

Watch the video

Where to obtain the tool

The tool is available from the following link.{65C28225-B1C7-4C48-9354-33557ED4D682}

Note: You should always use the latest copy of the tool.

Using the tool

The tool can be used in two ways:

  1. Run via the Graphical User Interface (GUI).
  2. Run via the Command Line Interface (CLI).

Running via the GUI

  1. Log on to the computer with an administrative account.
  2. Launch the tool from the Start Menu by going to:
    Start | All Programs | Sophos | Sophos Anti-Rootkit | Sophos Anti-Rootkit
    Note: If the computer has User Access Control (UAC) enabled then right click on the Sophos Anti-Rootkit shortcut from the Start Menu and select the 'Run as administrator' option.
  3. Choose to scan the running processes, Windows registry or local hard drives with the tick boxes. If Sophos Anti-Virus is installed on the machine then the extensive scan option can also be chosen. To run the scan click on 'Start scan'. The Sophos Anti-Rootkit will scan the system and attempt to find any hidden threats on the machine.

Running from the Command Line

The command line tool can be found in the following folder:

  • 32-bit computer: C:\Program Files\Sophos\Sophos Anti-Rootkit\sarcli.exe
  • 64-bit computer: C:\Program Files (x86)\Sophos\Sophos Anti-Rootkit\sarcli.exe

There are several command line options that can be passed to the command line tool. These are:

Option Description
Show the help message.
Scan running processes for hidden items.
Scan registry for hidden items.
Scan local hard drives for hidden items.
Write scan log to file X (default %TEMP%\sarscan.log).
Don't write a log file.
Don't produce any screen output.
Clean up all recommended removable items (requires restart).
Write clean up log to file X (default %TEMP%\sarclean.log).
Extensive scan - requires installed Sophos Anti-Virus.
Restart to complete clean up if anything needs to be removed.


  • The command prompt must be elevated to an administrative level.  
  • If no areas are specified, all will be scanned; defaults: -proc -reg -disk -log.
  • Press the ESC key at any time to stop a scan before it has finished.

Output log from the tool

To access these logs after scanning, as well as the zipped samples of what was found, type the following from either the Windows Run dialog box or the command prompt:


Example of use

SAR should be used to find undetected, hidden malware on a computer. Rootkit software could be part of any type of malware due to the multi-component nature of threats that exist today.

The log output (see above) will list any files or registry locations that are detected as hidden, it will also give the option to cleanup. If there are files that look suspicious then you should submit the samples.sar file to Sophos at the link below.

See the table below for a list of common locations for files detected by SAR as well as the actions required.

Detection Location Actions
Application Data directories
Submit a sample
Program Files directories
Submit a sample (unless application is known to create temporary files, e.g. Microsoft Exchange)
ProgramData directory
Submit a sample
Root of hard drives/partitions
Submit a sample
Temporary Internet Files
Unlikely to be malicious, no samples required
Windows directory and sub-directories
Submit a sample

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent