Sophos Bootable Anti-Virus: Gathering samples

  • Article ID: 53417
  • Updated: 15 Aug 2014

You can use the advanced options to gather samples of suspicious files that cannot be gathered whilst running Windows. This can be done as follows:

  • Carry out a clean shutdown of the machine.
  • Boot from the Sophos Bootable CD.

Applies to the following Sophos product(s) and version(s)
Sophos Bootable Anti-Virus

What To Do

Changing the Keyboard Locale

For UK customers you may want to change the keyboard layout (default is United States layout). To do this:

  • Select Keyboard layout.
  • From the Keymaps menu select United Kingdom.
  • Click Back to main menu.

Gathering Samples

From the main menu select Bash Shell (advanced users only) option. These instructions will not delete the original malicious file.

  1. You will now be presented with the following command prompt:

  2. Plug in your removable device, such as a USB memory stick, that you plan to copy the sample on to.

  3. We need to mount the internal hard drive so we can locate the sample. We also need to change directory to where our hard drive will be mounted. Type the two lines below, each line followed by Return / Enter (↩):
    cd /mnt/dev

  4. The prompt should now read:

  5. From here you will need to determine which mount point is the location for the file. Type the following and press Return / Enter (↩):

  6. You should now be presented with a list of all the block devices (e.g. hard drives and partitions) and where they are mounted. If you look down the far right column, labelled "MOUNTPOINT", you should note one or more entries with the mountpoint of /mnt/dev/sd?? where the question marks are a letter followed by a number. An example output is below:
    sda    8:0     0  465.8G 0  disk
    ├─sda1 8:1     0  1.5G   0  part /mnt/dev/sda1
    ├─sda2 8:2     0  454.5G 0  part /mnt/dev/sda2
    └─sda3 8:3     0  9.8G   0  part /mnt/dev/sda3
    sdb    8:16    0  1.8G   0  disk
    └─sdb1 8:17    0  1.8G   0  part
    The letter represents a physical device such as a hard disk, the number represents a partition on that device. Note type "disk" for sda, and type "part" for sda1. Also note that only partitions are mounted, not disks.

    We can see that sda is 465.8G (i.e. ~500GB) in size. This helps us identify that sda is the internal hard drive. We can also see that sdb is 1.8G (i.e. ~2GB) in size. As my USB stick is 2GB, it is most likely that sdb is my USB stick.

    Judging by the size of sda2, it is most likely that sda2 is our Windows partition (e.g. C:\ on a Windows computer).

  7. Once you have determined which mount point contains Windows, we need to change directory into it so we can start exploring and locate the sample. Type in the following to change directory to the mounted IDE hard drive, press Return / Enter (↩):
    cd sda2

  8. List the contents of the drive / directory with this command, press Return / Enter (↩):

  9. From here you should recognise the Windows folder structure, you can change the location using the 'cd' command. If you start typing a folder name, you can also press the Tab button (↹) to auto-complete the folder name you are typing. Note that file and folder names are case sensitive.
    Example: cd Windows/Temp

    If you go into a folder which you need to go back out of (i.e. move back to the parent folder) type the following and press Return / Enter (↩):
    cd ..

    If, at any point, you wish to know the absolute path to your current working directory (i.e. what folder you are currently in), type the following and press Return / Enter (↩):

    Again, if you need to list all files in the directory / see all the files in the folder, type the following and press Return / Enter (↩):

  10. Once you are in the directory where the malware sample resides, we will need to mount the removable media (e.g. USB stick) to copy it to. If you refer back to step 6, we were able to determine that sdb is our USB stick. We need to create a folder to mount the USB stick to, and then to mount the folder. Type the two lines below, modifying /dev/sdb1 to the device and partition number you found in step 6, each line followed by Return / Enter (↩):
    mkdir /mnt/dev/usb
    mount /dev/sdb1 /mnt/dev/usb

  11. With the removable media mounted, we now need to copy the malware sample to it and ensure we rename the sample so that it's file extension will not allow it to execute on Windows.

    To copy the file, which we will call "malware.exe" in the example command below, we will use the 'cp' command. Type the command below, modifying "malware.exe" to the name of the sample you wish to submit to us, and press Return / Enter (↩):
    cp malware.exe /mnt/dev/usb/malware.infected

  12. Once the file has been copied, you can now exit SBAV and then send the copied file in for analysis. To reboot the computer, type the following and press Return / Enter (↩):

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent