The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article provides answers to frequently asked questions on the Sophos Bootable Anti-Virus tool (SBAV).
Applies to the following Sophos product(s) and version(s) Sophos Bootable Anti-Virus
Operating systems Windows
The Sophos Bootable Anti-Virus (SBAV) tool allows you to scan and cleanup a computer infected with malware without the need to load the infected operating system installed onto the local hard drive of a computer. This is useful if the state of the computer's normal operating system - when booted - prevents cleanup from by other means, or the Master Boot Record (MBR) of the computer's hard drive is infected.
SBAV should not be used as a first response cleanup tool unless advised by Support. Other tools, such as the Sophos Anti-Virus Removal Tool or SAV32CLI should be tried before SBAV.
A few caveats about SBAV:
The SBAV program is provided free of charge as a Windows binary (.exe) file. To use it you must download the program to a Windows computer, install it, and then run one command.
The program will create an ISO file with the latest version of Sophos Anti-Virus for Linux including all recent virus protection updates. You can then use this tool to boot a computer into a minimal Linux-based operating system and run a scan of the computer. This bypasses the local operating system, no malware can be loaded, and cleanup is possible.
Steps for creating a bootable CD are available in article 52011. If you prefer to create a bootable USB pen drive with the tool installed see article 111374.
During the first seconds after the computer is switched on the computer will accept a key press that, if performed immediately, will display a boot menu. An example is shown below ('vmware' logo would normally be replaced by the computer's manufacturer like Lenovo, Asus, Dell, Toshiba, HP, etc.)
The boot menu, once displayed will look similar to this:
The exact key you have to press can be different on different computers. You have to read the screen (don't blink) during startup and see what it is on your computer. Commonly the F12 key and Esc key are used.
You will not have very long to read the screen and the key press has to occur with a few seconds otherwise the computer will boot normally and this will most like be the hard drive.
Using the one-time change boot menu is the quicker and safer option, but there is another way to alter the boot order. The order of boot devices is controlled by the computer BIOS configuration. During the first few seconds you can also enter the BIOS and check the boot order. Example:
Again the key used to access the BIOS is shown briefly at startup. The F2 key and the Del/Delete key are common choices. In the BIOS there is normally a 'boot' section and there are normally on-screen instructions provided for how to change the boot order.
In the BIOS you are setting the boot order for every future boot (until changed again) whereas the boot menu mentioned previously only changes the boot device for the very next startup. There is no harm in setting the computer to boot, for example, from USB first, then CD second, and then finally the local hard drive - even if you normally boot from the hard drive. This is because, as long as there is no USB drive attached, nor CD disc in the drive - that are set to be bootable and most are not set like this - the computer will quickly skip over the first two options and boot from the hard drive as normal.
When you see the 'SLAX' Linux boot screen you know the tool is loading...
Wait for it to fully load and showing the 'Main Menu' screen (shown below). It may take a few minutes to appear and it is normal for the screen to stop showing progress for short periods.
When the tool has fully loaded you will see the 'Main Menu'. Example:
You can use the up and down arrow keys on the keyboard to move up and down the list of options, or select the corresponding white letter to jump to the option required, and then press enter - or the right arrow key - to select the item.
The main menu has two categories of scans - 'Recommended' and 'Advanced'. The right scan depends on your situation.
If you need, or have been asked, to start investigating whether undetected malware is present on your computer under 'Sophos Recommended Scans' use 'Scan for viruses (detect only)'...
...which will only check the hard drive and log the results for later analysis.
The 'Rename infected files' scan - which appears above the detect only scan in the menu - allows a scan to be run and infected files only have their name changed. This can sometimes be enough to stop the malware from running when you boot back into your normal operating system and also allows for samples of the malware to be collected and submitted to SophosLabs for analysis. However the malware is not removed so unless you have been asked to collect samples move to the 'Sophos Advanced Scans' option.
Under the advanced scans option you have a choice of scans to either 'delete' or 'disinfect' viruses...
The recommended scan here is the lower one labeled 'Disinfect viruses'. This scan will delete completely (100%) malicious files as well as remove just the malware portion of a personal or operating system file that has become infected if it is able to.
If the computer's hard drive has a lot of files the scan may take a long time. During the scan do not touch the computer's keyboard. At the end of the scan it will prompt you to press return to return to the Main Menu (Pdmenu). After a scan you can select the 'Display scan...log' option for that scan and review the scan log.
Once finished with the tool you should properly reboot the computer using the 'Reboot' option from the Main Menu.
There are two advanced options in the Main Menu.
For each scan option there is also an option to view the scan log. If you are familiar with using a Linux Terminal (command line) you can access the text file logs in the /tmp/ folder using the advanced bash shell option. If you need to copy the logs from the temporary folder (/tmp/) to a USB drive see article 122467.
SBAV is a free tool and as such there is no telephone or email support - unless a Sophos support engineer has asked that you to use the tool in the course of a support ticket. If you have a question post it to our community.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.