Sophos Anti-Rootkit: rootkit removal on a network with an infected domain controller
On a network where the domain controller has been infected with a rootkit, you will have to clean the domain controller before using Sophos Anti-Rootkit to clean your remaining computers over the network.
Follow the instructions in this article, then use the network disinfection article.
What to do
1. Cleaning the key computers
You must clean some key computers to enable the network disinfection process:
- a computer separate from your network with an internet connection, a CD writer, and a virus scanner (here called 'sheep dip')
- your Domain Controller.
The test computer 'sheep dip' should be running one of the following operating systems:
- Windows 2000 server
- Windows 2003 server
- Windows 2000 Professional
- Windows XP Professional
It should have its own internet connection, which should be disconnected while it is cleaned, and should be physically isolated from the main network (this separation can be temporary).
The 'sheep dip' computer should meet the system requirements for running EM Library and Enterprise Console. See the release notes for the current versions of these products.
Note: If your Sophos
- Use the graphical user interface version of the Sophos Anti-Rootkit tool to clean the 'sheep dip' computer and domain controller. See the user manual for details.
- Use Sophos
Anti-Virus version 6 or above to remove any other malware from the 'sheep dip' computer.
Make a note of any files that are not removed during the cleaning process and decide what is to be done about them. These files might also be present on computers elsewhere on your network. This could affect the cleaning of the whole network.
Now you need to use Sophos
- Use the Sophos
Anti-Virus installation on the 'sheep dip' computer to make an installation on the Domain Controller as described in the knowledgebase article EM Library: installing and updating on a secure network with an air gap. The 'sheep dip' computer will take the place of the 'dirty' network, and the Domain Controller will be on the 'secure' network when following the air gap installation instructions. - When following the above instructions, prepare Sophos
Anti-Virus central installation directories (CIDs) for your workstation operating systems, but do not yet install the workstations.
2. Preparing to clean your network
Before you clean the other computers on your network:
- Ensure that Sophos
Anti-Virus has been installed on your domain controller, and any computer running a CID. - Do not install or clean the workstations until your key computers have been cleaned.
- Configure your anti-virus policy for your key computers so as to run on-access scanning using 'On read', 'On write' and 'On rename'. You can do this centrally from Enterprise Console, or locally at the computer. This will ensure that any attempt to infect the Domain Controller during network disinfection will be intercepted.
Run a scan on each key computer to ensure that it is free of malware.
Warning: Do not reboot or log off the Domain Controller during network cleaning. It could become reinfected.
Now follow the instructions for cleaning your remaining computers over the network.
Note: After you have finished cleaning your network, reconfigure your anti-virus policy to use only 'On read' scanning.
If you need more information or guidance, then please contact technical support.
- Article ID: 17125
- Created: 21 Aug 2006
- Last updated: 9 Oct 2008
