The Sophos source of infection tool is a tool designed to assist administrators in finding the source of malicious files being written to certain machines on the network. This article describes how to use the source of infection tool.
Note: The tool is not supported on machines with another anti-virus product running.
The following sections are covered:
Version 2.0 of the tool supports both 32-bit and 64-bit versions of the following Windows operating systems:
Download the tool from this link. Ensure that you use the latest version. Note: The source of infection tool has been updated to version 2.0.
The tool must be run as an administrator. On Windows Vista and later with UAC, the tool must be run from the administrator (elevated) command prompt. The tool is supported on a machine without an antivirus product running, or on a machine with Sophos Anti-Virus running.
The tool is run with the following options:
Notes on options new to version 2.0.0
Option -ext allows you to filter on which extensions to record, if omitted from the command line, it will begin to record all dropped files. This option can be used multiple times with a cumulative effect, allowing you to record multiple extensions if required. Option -lf allows you to log to an alternate directory, the launching windows account must be able to write to this location. Notes on options covering all versions Options -p and -n are mutually exclusive, the use of the -n is for tracking network dropping malware and the -p is for identifying locally hidden malware. Using the -a option can be useful to filter out unnecessary events if the administrator knows the path where the malicious file is expected to appear. The area filter can only be used once per use of the tool. The log level values are:
1 – log all information (verbose) 2 – log important information only (default) 3 – no logging
The log size option affects writing to Soi.log, if used the log file will grow to a maximum to the set value (in MB). If one of the log files grows over the specified limit, it is backed up and re-created (One previous backup is preserved). If it is not specified or -ls = 0 this means that the log size is unlimited (default). Options -h, -id and -ud, if present, must be alone. After the tool is run (except if the option was -h), the tool will collect information until it is interrupted by a click on Ctrl-C.
The tool generates two files in the temp directory of the logged on user by default, as defined by the environmental variable %temp% (Start > Run > Type: %temp% > Press return):
In this scenario the malicious file will be dropped from a source machine onto the machine under investigation. Please note that a file can only be dropped into a shared directory or sub-directory, however most Windows machines will have a administrative share (C$) which allows access to the entire drive.
Having identified the shared location that the malicious file are being dropped into using Sophos Anti-virus, the Sophos source of infection tool can then be used to find an infected host. To do this use the network (-n) and area switch (-a). See the examples below:
SourceofInfection.exe -n -a "c:\sharedfolder"
The source of infection tool will then log all new or modified files within the sharefolder directory (the share). Open the log file source of infection Log.csv, once the malicious files are identified in the log file, the logging can be stopped by pressing Ctrl-C. Here is an example of the log:
Date/Time,File path,Process/Network,Process path/Machine name" 2010/07/15 12:20:59","C:\sharedfolder\autorun.inf","Network","172.16.100.184"
This means that the file autorun.inf was dropped via the network from IP address 172.16.100.184 at 12:20pm.
Note: Confirmation of whether a machine is being reinfected locally or across the network can be obtained by isolating the machine. If the malicious files do not return whilst the machine is isolated this confirms that the malware can spread via the network. If the malicious files do return whilst the machine is isolated please see Scenario B below.
In this scenario the malicious file will be dropped from a local process onto the machine.
Having identified the location that the malicious file is being dropped into using Sophos Anti-Virus, the Sophos source of infection Tool can then be used to find the infecting process. To do this use the process (-p) and area switch (-a). See the examples below:
SourceofInfection.exe -p -a "C:\Documents and settings\Administrator\Local Settings\Temp"
The source of infection tool will then log all new or modified files within the chosen directory. Await the return of the malicious file, press Ctrl-C to stop the tool and then open the log file source of infection Log.csv to identify the infection source. Here is an example of the log:
Date/Time,File path,Process/Network,Process path/Machine name "2010/07/15 12:32:55","C:\Documents and Settings\Administrator\Local Settings\Temp\5541syrty.exe","Process","C:\WINDOWS\svvvvhost.exe"
This shows that the file 5541syrty.exe was dropped by a process called svvvvhost.exe into the Temp directory, therefore a sample of svvvvhost.exe should be submitted.
There are very few situations where this should be needed, because malware is generally very logical and therefore the location it is written to can be identified. If you have to log all files, then simply run the tool with no additional switches.
You should be aware that under normal operating conditions many files are created and modified by the operating system and other applications, so without a precise location the log will contain many entries that are of no interest.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.