Sophos Anti-Rootkit Release Notes Version 1.3 March 2007 www.sophos.com Important information you need to know before installation ---------------------------------------------------------- Contents -------- 1. New in this version 2. Key features 3. Known issues 1. New in this version ---------------------- * Enhanced detection and cleanup facilities. * Users can install and uninstall Sophos Anti-Rootkit using standard Windows procedures (i.e. the Windows Start menu, and the Windows Add/Remove Programs menu option). * The file sarscan.log is cumulative and is timestamped. The file sarclean.log is cumulative and is not timestamped. 2. Key features --------------- * Scans running processes, windows registry and local hard drives for rootkits. * Identifies known rootkits and selects, by default, files for removal which will remove the rootkit component of the malware without compromising OS integrity. * Allows users to remove unidentified hidden files, but does not allow removal of essential system files when hidden by an identified rootkit. * Once the user has run a scan, the screen prompts the user through the necessary steps until every rootkit has been removed. * Users can switch between the GUI and command-line functionality. * Both context sensitive and command-line help are available. 3. Known issues --------------- * If the scan is performed while the computer is in use, false positives may appear in the scan results. This is caused by files or registry entries being deleted, including temporary files being deleted automatically. We suggest you close non-essential applications and re-run the scan. * It may not be possible to clean up files on a removable drive or USB key. This is because the clean up component runs before the device drivers are loaded in the boot sequence. If this occurs, remove the removable drive or USB key. Next, restart the computer, plug the key back in, and scan with anti-virus software, such as Sophos Anti-Virus. * When specifying the location of the clean up log on the command line (sarcli -cleanlog=...), it must be on a local drive rather than a network share. This is because the clean up component runs before the network drivers are loaded in the boot sequence. * If rootkit components are found on a drive which uses NTFS compression, it may not be possible for SAR to identify them. In this case they will be reported as "Unknown hidden file". This situation is not currently supported by the product. * Unidentified hidden files cannot be removed via the command line. Please run the graphical user interface (sargui.exe) and refer to section 3 of the Sophos Anti-Rootkit User Manual.