The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article gives information on scanning options and example commands that can be used with SAV32CLI.
Applies to the following Sophos product(s) and version(s) Sophos Endpoint Security and Control
To run a scan for information only, so as to create a log, open a command prompt and change to the folder where the sav32cli.exe program is stored (usually C:\Program Files\Sophos\Sophos Anti-Virus) and type the following:
This will create a log of infected files, but will not disinfect or delete any infected files. You can then copy the log to a floppy disk for printing or emailing. If you run SAV32CLI without the -P command line parameter, the information on viruses will be written only to the screen.
To disinfect infected items with SAV32CLI, use the '-di' command line parameter.
The '-di' command line parameter will disinfect infected boot sectors, some infected program (.exe) files, and infected documents (e.g. .doc, .xls).
So, if your computer has been infected by a number of viruses, macro viruses, and worms, shut down the infected processes (either manually, or by using safe mode with command prompt), then run a series of scans to disinfect and remove these malicious programs. Make a log of all scans.
SAV32CLI -DI -P=C:\SCANLOG1.TXT
Make a note of the number of files disinfected.
Run the scan again, with a different log name
SAV32CLI -DI -P=C:\SCANLOG2.TXT
If the number of files disinfected has decreased, run a third scan. If it has not, or the number is '0', remove all other virus files:
SAV32CLI -REMOVE -P=C:\REMOVLOG.TXT
The above scans will disinfect all files that can be disinfected, and remove the rest.
During this process any infected documents will have been disinfected. Check the relevant virus analysis to find out if the virus involved could have corrupted data in the document. If you check the logs, you may well find that some worm or Trojan files were infected with a virus, so they were first disinfected, then removed.
Note: If the number of infected files increases between scans, contact technical support.
By default, Sophos Anti-Virus checks files that it recognises to be executable files, and files with extensions used by known executable file types.
You can scan all files, and not just executables, with SAV32CLI by using the '-all' command line parameter.
You can use the '-cdr' command line parameter to specify the CD drive containing a CD to be scanned. For example if you use
SAV32CLI will scan for a possible bootable image on a CD in drive D. If an image is found, SAV32CLI will check the boot sector of that image for boot sector viruses. If you also use the '-loopback' parameter, then SAV32CLI will go on to scan the files in that bootable image for executable viruses.
The command line parameter '-idedir' allows you to use an alternative directory, or drive, to specify where virus identity (IDE) files will be. The default directory is the directory with the main virus data in it. This will usually be the directory containing SAV32CLI.EXE.
For example, if you type
then IDE files in the root directory of a floppy disk inserted in the A: drive will be used.
To scan the whole system, just type 'SAV32CLI' and any removal command line parameters. Do not use '*:'
To scan individual drives use 'SAV32CLI C:' or 'SAV32CLI D:', etc.
For information on using wildcards and exclusions, see the SAV32CLI release notes.
SAV32CLI can abort the scanning of some forms of malicious file that are designed to disrupt the action of anti-virus scanners. These files, sometimes referred to as "zip bombs", usually take the form of innocent looking archive files that, when unpacked in order to be scanned, require enormous amounts of time, disk space, or memory.
The command line option --stop-scan directs SAV32CLI to stop scanning such "zip bombs" when they are detected. For example:
SAV32CLI -archive -all C:\ --stop-scan
...scans all objects (files and directories) on the C: drive, scanning inside archive files and stopping the scan when a "zip bomb" is detected.
When a "zip bomb" is detected, a message such as
Aborted checking C:\misc\b.zip - appears to be a 'zip bomb'
You can save time when disinfecting computers by using the 'no confirmation' command line parameter '-nc' in conjunction with '-remove'. This will delete all infected files automatically. However, if you do this, particularly in conjunction with an 'all files' scan using the '-all' command line parameter, you are at risk of losing complete archive files and mailboxes containing only one infected item, and infected documents that could have been cleaned.
Moreover, if many system files on a computer are infected, you could reduce the computer to a state in which data recovery would not be possible without special tools.
Only use the above parameter where you are sure which files and file types on your computer are infected.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.