User manual SOPHOS ANTI-ROOTKIT 1.5 07-2009

[. . . ] Sophos Anti-Rootkit user manual Product version: 1. 5 Document date: July 2009 Contents 1 About Sophos Anti-Rootkit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 System requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3 Install Sophos Anti-Rootkit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 4 Remove Sophos Anti-Rootkit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 5 About scanning for rootkits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 6 Run Sophos Anti-Rootkit from the command line. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 7 Start Sophos Anti-Rootkit using the Windows interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 8 Scan for rootkits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 9 Clean up rootkits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 10 View results of rootkit cleanup. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 11 Technical support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 12 Copyright. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 2 Sophos Anti-Rootkit user manual 1 About Sophos Anti-Rootkit Sophos Anti-Rootkit 1. 5 enables you to scan for and clean up any rootkits that may be hidden on your computer. A rootkit is a Trojan or technology that is used to hide the presence of a malicious object (process, file, registry key, or network port) from the computer user or administrator. There are Windows-interface and command-line versions of Sophos Anti-Rootkit. [. . . ] Scans generally take significantly longer to complete on a server computer. You can stop a scan at any time, but the results will be incomplete, so run a scan at a time when it will cause least inconvenience. When Sophos Anti-Rootkit cleans up a rootkit from your computer, a restart is required to complete the process. 6 Run Sophos Anti-Rootkit from the command line 1. Open a command prompt and change to the Sophos Anti-Rootkit installation folder by typing: cd C:\Program Files\Sophos\Sophos Anti-Rootkit 2. To view the command line help, type: sarcli -help For more information on using the command-line version of Sophos Anti-Rootkit, see http://www. sophos. com/support/knowledgebase/article/17091. html. 4 Sophos Anti-Rootkit user manual 7 Start Sophos Anti-Rootkit using the Windows interface Click Start > Programs > Sophos > Sophos Anti-Rootkit > Sophos Anti-Rootkit. 8 Scan for rootkits To scan your computer for rootkits: 1. Select the check boxes next to the areas of your computer that you want to scan. Select the Extensive scan check box to scan every file on your computer during the Local hard drives scan instead of just the hidden ones. Note: Selecting this option will potentially find more rootkits, but the scan will take longer to complete. Depending on your computer, the time taken for this may be over an hour. When the scan is complete, a dialog box is displayed showing whether Sophos Anti-Rootkit has found any suspicious files. 9 Clean up rootkits The names of suspicious files are displayed in the results list in the upper panel of the Sophos Anti-Rootkit window. However, after you have cleaned up any rootkits, these items will disappear from the results list. 5 Sophos Anti-Rootkit user manual To clean up rootkits: 1. Click the name of a suspicious file or process to display information about it. The information displayed includes whether the item is recommended for removal: Option Removable: No Removable: Yes (clean up recommended) Removable: Yes (but clean up not recommended for this file) Description These files cannot be marked for removal. Sophos does not recognize these files and recommends that youdo not remove them. If you are unsure what to do about some of these files, follow the instructions in Technical Support (page 7) to send the log and archive files to Sophos for further analysis. The information displayed may also tell you whether there is a description of the file. To view the description of the file, go to the Sophos website at www. sophos. com, type the name of the file in the Search box at the top of the home page, and then click the Search button. [. . . ] To view sarscan. log, type the following from either the Windows Run dialog box or the command prompt: %TEMP%\sarscan. log Any submission of files and/or data to Sophos is covered by the Sophos End User License Agreement, which is available at www. sophos. com/legal. 12 Copyright Copyright © 2004-2009 Sophos Group. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner. 7 Sophos Anti-Rootkit user manual Sophos and Sophos Anti-Rootkit are trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 8 [. . . ]