Sophos Anti-Rootkit, version 1.5 release notes

New in this version

  • Support for disk and registry scanning on new platforms: Windows Vista, Windows Server 2008, Windows Server 2003 SP2, Windows 7, and Windows 64-bit platforms.
  • Sophos Anti-Rootkit uses virus data if Sophos Anti-Virus is installed, and will report threats more specifically than if data is not present.
  • Sophos Anti-Rootkit can now scan every file on the disk instead of just the hidden ones, which will potentially find more malware. This option requires Sophos Anti-Virus to be installed.

Known problems

  • If a scan is run whilst the computer is being used, false positives may appear in the scan results. This is caused by files or registry entries being deleted during the scan, such as temporary files being deleted automatically when an application is closed.

    To work around this problem, close all non-essential applications, and then run the scan again.

  • It may not be possible to clean up any remaining unauthorized files on removable storage devices such as external hard disk drives and USB flash drives. The reason for this is that the cleanup component runs before the device drivers are loaded in the boot sequence.

    To work around this problem:

    1. Disconnect the removable storage device.
    2. Restart the computer.
    3. Connect the removable storage device.
    4. Scan the removable storage device with anti-virus software such as Sophos Anti-Virus.
  • When specifying the location of the cleanup log using the command-line version (sarcli -cleanlog="X"), enter the address of a local hard disk drive rather than a network drive. The reason for this is that the cleanup component runs before the network drivers are loaded in the boot sequence.

  • The command-line version cannot remove unknown hidden files. To work around this problem, use the Windows-interface version.

  • The following error message is displayed when you attempt to run Sophos Anti-Rootkit in Windows safe mode:

    Error: Could not initialize kernel driver memsweep.sys.

    Sophos Anti-Rootkit will still, however, perform a disk and registry scan. This applies to both the Windows-interface and command-line versions.

    To work around this problem, start Windows normally, and then run Sophos Anti-Rootkit.

  • When Sophos Anti-Rootkit is run on Asian-language operating systems, files with names longer than 193 double-byte characters may be identified as hidden files in the disk scan. For more information, see
  • (DEF 38697) After installing Sophos Anti-Rootkit version 1.5 over version 1.3, the Extensive scan check box is wrongly available when Sophos Anti-Virus is not present on the system. To work around this problem, uninstall version 1.3 before installing version 1.5.
  • (DEF 39084, DEF 39085, DEF 39098) Sophos Anti-Rootkit does not support simultaneous scans. For more information, see

Additional information

  • Sophos Anti-Rootkit no longer ships with its own set of detection data. If Sophos Anti-Virus is installed on the system, Sophos Anti-Rootkit will use the data from that. If there is no Sophos Anti-Virus installation, Sophos Anti-Rootkit will still detect hidden items but they will report them as "unknown hidden item".

Technical support

For technical support, visit

If you contact technical support, provide as much information as possible, including the following:

  • Sophos software version number(s)
  • Mail server or gateway details
  • Operating system(s) and patch level(s)
  • The exact text of any error messages

To send the Sophos Anti-Rootkit hidden archive file and log files to technical support:

  1. Go to and complete the Sample submission form. Follow the instructions on screen, except as shown below.
  2. For I want to submit a, select File sample.
  3. Under File 1, click Browse, and then navigate to the following files in turn:




samples.sar is an encrypted archive of all hidden files detected by the scan and sarscan.log is a text file listing the hidden files contained in samples.sar.

Before you send sarscan.log to technical support, check that it does not contain any confidential information. To view sarscan.log, type the following from either the Windows Run dialog box or the command prompt:


Any submission of files and/or data to Sophos is covered by the Sophos End User License Agreement, which is available at


Copyright © 2004-2009 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.

Sophos and Sophos Anti-Rootkit are trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.