Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
This article answers the frequently asked questions about the Sophos Bootable Anti-Virus tool (SBAV). The following sections are covered:
Applies to the following Sophos products and versions Sophos Bootable Anti-Virus
The Sophos Bootable Anti-Virus (SBAV) tool allows scanning and cleaning up an infected computer without the need to load its operating system that is installed on its local hard drive. This is useful when the operating system of the computer after bootup, prevents clean up through any means, or when the Master Boot Record (MBR) of the computer is infected.
SBAV should not be used as a first response cleanup tool unless advised by Sophos Support. Other tools, such as the Sophos Anti-Virus Removal Tool or SAV32CLI should be tried before using SBAV.
A few caveats about SBAV:
The SBAV program is provided free of charge as a Windows binary (.exe) file. To use it, download the program to a Windows computer, install it, and then run one command. The program will create an ISO file with the latest version of Sophos Anti-Virus for Linux including all recent virus protection updates. The tool can be used to boot a computer into a minimal Linux-based operating system and run a scan of the computer. This bypasses the local operating system, no malware can be loaded, and cleanup is possible.
To create the SBAV tool to perform cleanup, refer to the following articles:
During the first seconds after the computer is switched on, it will accept a key that is immediately pressed then displays a boot menu. An example is shown below (The vmware logo would normally be replaced by the computer's manufacturer like Lenovo, Asus, Dell, Toshiba, HP, etc.).
The boot menu, once displayed will look similar to this:
The exact key needed to be pressed can be different on different computers. The screen should be read attentively during startup to see the appropriate key. Commonly, the F12 and Esc keys are used.
The key press has to occur within a few seconds otherwise, the computer will boot normally, usually through the hard drive.
The one-time change boot menu is the quicker and safer option. But there is another way to alter the boot order. The order of boot devices is controlled by the computer BIOS configuration. During the first few seconds of bootup, the BIOS can be accessed to change the boot order.
The key used to access the BIOS is shown briefly at startup. The F2 and the Del/Delete keys are the common choices. In the BIOS, there is a boot section and normally, there are on-screen instructions provided on how to change the boot order.
In the BIOS, the boot order can be set for every future boot, until changed again. Whereas, the boot menu mentioned previously, only changes the boot device for the next startup. There is no harm in changing the boot order of the computer. For example, the computer is set to boot first via USB, second boot is CD, and third boot is through the hard drive. This is because, as long as there is no USB drive attached, nor CD disc in the drive, the computer quickly skips over the first two options and boot from the hard drive as normal.
When the SLAX Linux boot screen is seen, it indicates that the tool is loading.
Wait for it to fully load and show the Main Menu screen. It may take a few minutes to appear. Also, it is just normal for the screen to stop showing progress for short periods.
When the tool has fully loaded, the Main Menu screen appears. Read the descriptions below for each options to select the scan appropriate for you.
The main menu has two categories of scans:
Note: To select an option, either press the up and down arrow keys or the corresponding white letter. Press Enter or the right arrow key to enter the desired option.
The scan will take a long time if there is a lot of files on the hard drive. During the scan, do not do anything on the keyboard. At the end of the scan, a prompt to press return (to return to the Main Menu - Pdmenu) will appear. The Display scan and disinfect log option can be selected after the scan to review the scan log.
Properly reboot the computer using the Reboot option from the main menu once finished with the tool.
There are two advanced options in the main menu.
Scan logs can be viewed on each scan options. The text file logs can be accessed in the /tmp/ folder using the advanced bash shell option. To to copy the logs from the temporary folder (/tmp/) to a USB drive, follow the steps on article 122467.
SBAV is a free tool. There is no telephone or email support - unless a Sophos support engineer has advised to use this tool in the course of a support ticket. Concerns about the use of this tool can be posted to the Sophos Community.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.