"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
This article explains how to remove malware using the Sophos Anti-Virus 32-bit command line interface (SAV32CLI) on Windows. This procedure involves rebooting into a low-level diagnostic mode that does not require the full operating system to be running (safe mode).
The following sections are covered:
Sophos Endpoint Security and Control
If the infected computer has valuable data on it, back up the data to CD or DVD or a USB device before removing any malicious software. The infection might deteriorate to a point where you could no longer access the operating system, or you may damage the computer during disinfection. Ensure any back ups are fully scanned by Sophos Anti-Virus to ensure no malware is contained within them.
To ensure SAV32CLI is up to date with the latest threat identity files, check that your local copy of SAV for Windows is up to date. Do the following:
If the date shown is recent and you intend to scan the computer using the locally installed copy of Sophos Anti-Virus, go to step 3.
If the date shown is not recent, the latest detection and cleanup information will not be available during a scan, hence it is important to resolve any problems with the installation before continuing. If the installation has not been updated/able to update for some time, or the installed program is not functioning correctly, we recommend running SAV32CLI from a CD-ROM, or similar write-protected media, that is obtained from the installation of SAV for Windows running on an uninfected computer - see step 2b.
NOTE: If the locally installed copy of Sophos Anti-Virus for Windows is up-to-date and you intend to run a scan using the locally installed copy, you do not need to run SAV32CLI from an external media. Ensure you have followed step 2a above and then proceed to step 3.
To obtain a copy of the SAV32CLI program you need to have available another computer which is not infected with malware and running an up-to-date copy of Sophos Anti-Virus for Windows. The process involves copying the Sophos Anti-Virus folder from the other computer to a write-protected media. Therefore you will need either:
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
Unplug the network cable from the computer and switch off the WiFi connection.
It is possible to run SAV32CLI from an administrator command prompt from your computer desktop while it is booted in the normal way.
However, we recommend rebooting the computer into safe mode to minimize the chance of any malware present on your computer from being allowed to run and hence increase the chances of the malware being removed.
To enter safe mode, switch off your computer, switch it back on, and in the first moments of life, press F8, which will show the Windows Error Recovery window and a selection of boot methods. From the menu, select Safe Mode and press Enter.
NOTE: Since SAV32CLI is only a command line program, Safe Mode with Command Prompt is all that is required. Selecting Safe Mode, which loads a basic graphical desktop, is acceptable but you must then open a command prompt to run the program. However Safe Mode does provide a familiar method of file and folder navigation as Windows Explorer is available.
Based on your decision from section two above you may be running SAV32CLI from the local installation or from write-protected media. Follow the steps below depending on your decision. If you have loaded a graphical desktop open a command prompt from the menu. For example:
From the command prompt, do the following:
cd C:\Program Files\Sophos\Sophos Anti-Virus\
cd C:\Program Files (x86)\Sophos\Sophos Anti-Virus\
sav32cli.exe -remove -p=C:\sav32cliscan.txt
sav32cli.exe is not recognized..
Insert the CD-ROM or USB pen drive/memory card into the computer, and then from the command prompt do the following:
cd Sophos Anti-Virus
sav32cli.exe' is not recognized...
Before leaving Safe Mode, edit any registry entries mentioned in the virus analysis recovery instructions. To open the Registry Editor, click Start and then type regedit' in the search field. Read the warning about editing the registry before making any changes.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Todos los comentarios enviados son leídos (por una persona), pero no podemos contestar a preguntas técnicas específicas. Si necesita soporte técnico, publique una pregunta en nuestra comunidad. Como alternativa, en el caso de los productos con licencia, abra una solicitud de soporte.