If a scan is run whilst the computer is being used, false positives may appear in the scan results. This is caused by files or registry entries being deleted during the scan, such as temporary files being deleted automatically when an application is closed.
To work around this problem, close all non-essential applications, and then run the scan again.
It may not be possible to clean up any remaining unauthorized files on removable storage devices such as external hard disk drives and USB flash drives. The reason for this is that the cleanup component runs before the device drivers are loaded in the boot sequence.
To work around this problem:
When specifying the location of the cleanup log using the command-line version (sarcli -cleanlog="X"), enter the address of a local hard disk drive rather than a network drive. The reason for this is that the cleanup component runs before the network drivers are loaded in the boot sequence.
The command-line version cannot remove unknown hidden files. To work around this problem, use the Windows-interface version.
The following error message is displayed when you attempt to run Sophos Anti-Rootkit in Windows safe mode:
Error: Could not initialize kernel driver memsweep.sys.
Sophos Anti-Rootkit will still, however, perform a disk and registry scan. This applies to both the Windows-interface and command-line versions.
To work around this problem, start Windows normally, and then run Sophos Anti-Rootkit.
For technical support, visit http://www.sophos.com/support.
To send the Sophos Anti-Rootkit hidden archive file and log files to technical support:
samples.sar is an encrypted archive of all hidden files detected by the scan and sarscan.log is a text file listing the hidden files contained in samples.sar.
Before you send sarscan.log to technical support, check that it does not contain any confidential information. To view sarscan.log, type the following from either the Windows Run dialog box or the command prompt:
Any submission of files and/or data to Sophos is covered by the Sophos End User License Agreement, which is available at www.sophos.com/legal.
Copyright © 2004-2009 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the licence terms or you otherwise have the prior permission in writing of the copyright owner.
Sophos and Sophos Anti-Rootkit are trademarks of Sophos Plc and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners.