Emergency SAV distribution (DOS) -------------------------------- www.sophos.com Contents -------- 1 Introduction 2 New in this version 3 Information from previous versions 4 Notes on using this distribution 5 System requirements 6 Which version of the Emergency SAV Distribution to use 7 Win32 viruses, 16-bit (DOS) mode and Windows 95/98 8 Using an Emergency SAV Distribution floppy disk set 9 Securely booting a computer 10 Disinfecting viruses 11 Using virus identity (IDE) files with the Emergency SAV Distribution 12 More information 1 Introduction -------------- This distribution contains the file SWEEP.EXE, Sophos's command-line virus detector and disinfector for DOS. In an emergency, this is the single most useful program in the Sophos Anti-Virus range, as it can be used on almost all computers, including those with DOS, Windows 3.1x, Windows 95, Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP, OS/2 or NetWare installed. Uses for this distribution include: * pre-installation scanning of key computers after clean boot * removal of boot sector viruses from workstations and servers * emergency disinfection of 32-bit computers in 16-bit mode 2 New in this version --------------------- * Improved handling of .pdf and Stuffit files * Command line qualifier -XML You can use the command line qualifier -XML to direct Sophos Anti-Virus to scan .xml files. * Disinfection of Unicode files (used within MIME and HTML) * Improved MIME handling to resolve a number of issues with previous releases * Command line qualifier -EF= You can use the command line qualifer -EF to direct Sophos Anti-Virus to exclude the file(s) specified from scanning (refer to the Sophos Anti-Virus DOS/Windows 3.1x user manual for details). * The Emergency SAV distribution has been updated with new virus information. 3 Information from previous versions ------------------------------------ a) Improved handling of malformed MIME files. b) Improved PDF file scanning. c) Multi-file virus data (3.67) Virus information can now be supplied as a number of small files rather than as a single large file. This will reduce the size of monthly virus data updates as only the small files that have been updated need to be replaced. SWEEP has been updated to read virus data from the new multi- file format, while retaining support for the original combined format. d) Command line qualifier -IDE (3.67) The new command line qualifier -IDE allows either a file name or a directory to be specified. If a file name is specified, then this file alone is loaded as an identity. This may be useful when an identity has been supplied by technical support to disinfect a specific virus. If a directory is specified then this is where SWEEP for DOS will look for its IDE files. IDE files in other directories will be ignored. Note: the qualifier -IDE is equivalent to -IDE=A:\ 4 Notes on using this distribution ---------------------------------- To use this distribution securely, it is essential to ensure that no viruses are memory-resident. * This is achieved by secure booting, i.e. executing only code that is known to be virus-free during booting-up. * With certain W32 viruses it is sufficient to restart Windows 95 and Windows 98 computers in DOS mode. * For all other viruses a write-protected, clean system floppy disk is needed. Failure to boot securely may result in some stealth viruses not being detected on disk. 5 System requirements --------------------- SWEEP.EXE is a 32-bit application which requires at least a 386 processor to run. A minimum of 8Mb of memory is also required. 6 Which version of the Emergency SAV Distribution to use -------------------------------------------------------- The Emergency SAV Distribution can be run straight from the Sophos CD or from floppy disks created from the disk images. If using it from a download, extract it and copy it onto a medium which can be write protected. a) Windows 95 By default, after clean booting in Windows 95 you will have no access to the CD drive. You should use a floppy disk set. b) Windows 98 and Windows Me In Windows 98 and Windows Me you will have access to the CD drive after clean booting. You can run the Emergency SAV Distribution straight from the Sophos CD. 7 Win32 viruses, 16-bit (DOS) mode and Windows 95/98 ---------------------------------------------------- When disinfecting a W32 virus on Windows 95/98 you must use DOS mode (not a command prompt 'DOS box') or a clean startup disk. Restart the computer in 16- bit (DOS) mode and follow the disinfection instructions for that W32 virus. As W32 viruses cannot infect in 16-bit mode you may be able to use a copy of the Emergency SAV Distribution from the computer's hard drive. Check the details for the virus concerned. Note: For Windows Me you will have to use a clean startup disk, or boot from your Windows CD. 8 Using an Emergency SAV Distribution floppy disk set ----------------------------------------------------- An Emergency SAV Distribution floppy disk set is useful after clean booting where there is no CD support (e.g. Windows 95). a) Making an Emergency SAV Distribution floppy disk set You can make an Emergency SAV Distribution floppy disk set in one of four ways: * Follow the instructions at www.sophos.com/support/knowledgebase/article/30.html * Run DISKMAKE.EXE in the Diskimgs folder on the Sophos Anti-Virus CD. * Run ESDMAKE.BAT in the Diskimgs folder on the Sophos Anti-Virus CD . * Run SFWRITE.EXE using the instructions in Diskimgs.txt on the Sophos Anti-Virus CD. b) Running the Emergency SAV Distribution from floppy disk When the Emergency SAV Distribution is run from floppy disk it will prompt for the "SWEEP Virus Data" disk. You must use the SWEEP Virus Data disk from the same month (version number) as the copy of SWEEP, i.e.: both should have been prepared at the same time. Any virus identity (IDE) files for new viruses should be placed on the final floppy disk or run from a separate floppy disk using the -IDE command line qualifier. 9 Securely booting a computer ----------------------------- Switch the computer off. Do not use Ctrl-Alt-Del because this is intercepted by some viruses. Insert a clean, write-protected system floppy disk into drive A:. Switch the computer on and let it boot from the floppy. After the computer has booted, it will display the prompt A:\> SWEEP can now be run from the Sophos CD's TOOLS\ESD directory. If the CD is not available then SWEEP can be run from the Emergency SWEEP diskette, or from the local extraction directory (C:\SOPHTEMP by default) if using the web download. There are instructions on creating a startup disk for Windows 95/98/Me at www.sophos.com/support/knowledgebase/article/45.html There are instructions on creating an MS DOS startup disk at www.sophos.com/support/knowledgebase/article/57.html 10 Disinfecting viruses ----------------------- Before removing a virus always check the analysis for the virus involved: www.sophos.com/virusinfo/analyses/ a) Disinfecting boot viruses To disinfect boot viruses you will need to have prepared an Emergency SAV Distribution floppy disk set from disk images on an uninfected computer. Boot the computer with a clean boot disk (see above). Insert the emergency SWEEP disk (the first floppy disk) in drive A:. Disinfect the virus with the command: A:SWEEP -DI b) Disinfecting and removing other viruses, Trojans and worms To disinfect macro viruses and disinfectable executable file viruses use the -DI command line qualifier SWEEP -DI To remove infected files that cannot be disinfected, Trojan files and worm files use the -REMOVEF command line qualifier SWEEP -REMOVEF For a full list of commands use the -H command line qualifier or see the Sophos Anti-Virus for DOS/Windows 3.1x manual and readme SWEEP -H 11 Using virus identity (IDE) files with the Emergency SAV Distribution ----------------------------------------------------------------------- You can either place the IDE files with the SWEEP executable or use the -IDE command line qualifier. * For a floppy disk set place the IDE files on the final disk in the set * On other media place the IDE files in the same directory as SWEEP.EXE The command line qualifier -IDE allows either a file name or a directory to be specified. When run alone the qualifier -IDE is equivalent to -IDE=A:\ For example, running from the C: drive: SWEEP -DI -IDE will disinfect viruses using IDEs from a floppy disk in the A: drive. If a directory is specified then this is where SWEEP for DOS will look for its IDE files. IDE files in other directories will be ignored. For example, running from the C: drive: SWEEP -DI -IDE=C:\IDES will disinfect viruses using IDEs in the directory C:\IDES. If a file name is specified, then this file alone is loaded as an identity. This may be useful when an identity has been supplied by technical support to disinfect a specific virus. 12 More information ------------------- The Emergency SAV Distribution contains SWEEP.EXE, Sophos's command-line virus detector and disinfector for DOS. You can find more information in the Sophos Anti-Virus for DOS/Windows 3.1x manual and readme. The manual is available in PDF format in DOCS\ENG\MANUALS\DOS_MEN.PDF on the Sophos CD or at www.sophos.com/support/docs/#doswin The readme is available in the DOS folder on the Sophos CD or at www.sophos.com/readmes/readdos.txt 01/2005 ----------------