Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 1 reply
  • Subscribers 6 subscribers
  • Views 4310 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

64 bit version?

Dell

My machine is behaving "wierdly" yet the usual tools(malwarebytes, spybot, trendmicro, avg, etc.) all say nothing is wrong. That's why I happened to find the sophos rootkit on a google search. However, it appears it will not scan memory if running win7 64 bit (and presumeably any 64bit flavor of windows.) The option to click "Running processes" is grayed out, and the command line says not support on this version of windows. (Other options appear to be functioning properly.) I have v1.5.4 loaded. Is there a way to scan memory, or is there an update planned for 64 bit OS's anytime soon?

Thank you.

:5385


This thread was automatically locked due to age.
Parents
  • 0

    Hi Dell,

    You are quite right, SAR will not scan the memory of any 64bit machine, due to the way in which Memsweep.sys is loaded. An updated version of SAR is certainly being worked upon, however, there is no official release date for this.

    In order to scan your machine's memory, you can download an emergency copy of Sav32cli from our website:

    http://www.sophos.com/support/knowledgebase/article/13251.html

    You will be required to register a MySophos account with us. Once this is downloaded, you can run the following commands:

    *Note:- These commands assume you've extracted sav32cli to the default location*

    To run a scan of usermode memory only:

    "%systemdrive%\SAV32CLI\sav32cli.exe" -di -pua -exclude * -p="%userprofile%\desktop\Di_Mem_scan.log

    To run a scan of usermode memory that will attempt to kill any malicious processes and clean any malicious threads:

    "%systemdrive%\SAV32CLI\sav32cli.exe" -remove -pua -exclude * -p="%userprofile%\desktop\Rem_Mem_scan.log

    Both of these scans will output log files to your desktop with easy-to-read results telling you if anything at all was detected.

    :5494
Reply
  • 0

    Hi Dell,

    You are quite right, SAR will not scan the memory of any 64bit machine, due to the way in which Memsweep.sys is loaded. An updated version of SAR is certainly being worked upon, however, there is no official release date for this.

    In order to scan your machine's memory, you can download an emergency copy of Sav32cli from our website:

    http://www.sophos.com/support/knowledgebase/article/13251.html

    You will be required to register a MySophos account with us. Once this is downloaded, you can run the following commands:

    *Note:- These commands assume you've extracted sav32cli to the default location*

    To run a scan of usermode memory only:

    "%systemdrive%\SAV32CLI\sav32cli.exe" -di -pua -exclude * -p="%userprofile%\desktop\Di_Mem_scan.log

    To run a scan of usermode memory that will attempt to kill any malicious processes and clean any malicious threads:

    "%systemdrive%\SAV32CLI\sav32cli.exe" -remove -pua -exclude * -p="%userprofile%\desktop\Rem_Mem_scan.log

    Both of these scans will output log files to your desktop with easy-to-read results telling you if anything at all was detected.

    :5494
Children
No Data