Avast aswMBR, Sophos Anti-Rootkit, Free Rootkit Scanners

Martin Brinkmann
Jul 31, 2011
Updated • Apr 10, 2012
Security, Software, Windows, Windows software

Windows XP systems are more prone to being infected with rootkits as Microsoft's latest operating system Windows 7. That's the result of a study conducted by Avast that surveyed more than 600,000 Windows PCs. Reasons for this higher infection rate are systems that are running the now unsupported service pack 2 and better protection of the Windows 7 operating system, and there especially the 64-bit versions.

While one could argue that the figures are also explainable by the factors time and the fact that most rootkits target 32-bit systems, it is undeniable that rootkits pose a serious security risk.

The two free rootkit scanners Avast aswMBR and Sophos Anti-Rootkit can be used to scan a PC system for rootkits. There are other tools that can be used for the purpose, like the previously reviewed Codewalker, AVG Anti-Rootkit Free or the incredibly useful TDSSKiller by Kaspersky.

Avast aswMBR is a portable program for Windows. The program offers to download the latest antivirus definitions from Avast servers on first start. Those definitions are then used to scan and identify potentially dangerous files that have been discovered by the rootkit scanner.

avast aswmbr rootkit scanner

A click on the Scan button starts the scan of the system. Potentially dangerous files are highlighted in yellow and red colors on the screen. Suspicious or infected files are declared as those directly in the interface. The Fix or Fix MBR buttons are used to disinfect the system and remove the rootkit from it. Avast aswMBR can be downloaded directly from the Avast website. The rootkit module is part of all Avast antivirus solutions.

Sophos Anti-Rootkit is another portable rootkit scanner for Windows. The download becomes available after filling out a two page form on the Sophos website. The rootkit scanner comes as a rar archive that you need to unpack on the system. The program displays a minimalistic interface on startup. The Windows Registry and local hard drives are automatically selected for the scan next to the running processes. A click on Start Scan opens a new window that highlights the scan progress.


The anti-rootkit software lists all suspicious or unknown hidden files in the log. Not all those files are rootkits, and it pays to scan the listed files with another rootkit scanner or an online scanner such as Virus Total.

Both rootkit scanners are portable and free for personal use. This makes them ideal for a admin toolset on DVD or USB stick.


Tutorials & Tips

Previous Post: «
Next Post: «


  1. Anatoly Nechaev said on August 1, 2011 at 12:53 pm

    Here’s kinda direct link to Sophos Anti-Rootkit (without forms, only eula).

  2. ilev said on August 1, 2011 at 8:14 am

    If XP PCs running Avast had 74% rootkit contamination, it means that Avast anti-virus let those rootkits in.

    1. Martin Brinkmann said on August 1, 2011 at 8:18 am

      The conclusion does not make sense Ilev. Avast is not running on 100% of all Windows XP systems.

      1. manicmac said on August 1, 2011 at 2:15 pm

        Reread that ….makes perfect sense.
        If you are running avast and get a rootkit…. avast failed.

      2. Martin Brinkmann said on August 1, 2011 at 2:19 pm

        But there was no mentioning in the article that all the PCs analyzed were running Avast at the time of infection, right? Avast could have picked up the rootkits on first scan and used that data to determine the infection rates.

  3. Richard Steven Hack said on August 1, 2011 at 1:01 am

    I just downloaded Sophos Anti-Rootkit. It does not come as a RAR archive, but an EXE, specifically “sar_15_sfx.exe”. It also has an install process, presenting a EULA, and then installing to the C:Program FilesSophosSophos-Antirootkit directory.

    This is not what is commonly meant as “portable”. You can, however, install it, then copy the files to a USB key, uninstall it from the system, and it will run independently.

    You also don’t need to fill out a “two page form” at the site. You can check, “I am a home user”, and just fill in a (fake) phone number and indicate what country, state and zip code you’re in, and you can then download the product.

  4. cearner said on July 31, 2011 at 11:19 pm

    It looks like AVG Anti-rootkit free is no longer available


Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.