Where to find removed files?

Hi,

When an item is detected, a Sophos internal utility called Sophos Clean is used to cleanup the item. Customers using Sophos Central have the ability to restore files after they have been cleaned up. This feature is designed to allow the restoration of files and their associated permissions, registry keys e.t.c. after they have been incorrectly detected as malware and removed. BUT not all detected files will have an option to be restored, it is predominantly Portable Executable (PE) files that can be restored, this includes for example .exe, .dll and .sys files, whereas documents and scripts like .doc, .xls and .js aren't able to be restored.

To restore a file after a detection, please do the following:

1. Log in to Sophos Central.
2. Locate the device where the detection occurred on.
3. Select the Events tab.
4. Locate the detection event (needs to be where it was detected, not the cleanup event).
5. If there is a Details option on the right-hand side it means the file can be restored.
   
   
6. After selecting the Details option you will then be presented with the Event details screen. This gives you information about the detection, the file, and its location. You will also be given the SHA-256 hash. This can be useful if you want to submit it to VirusTotal or contact Sophos Support with questions about this file. If the file is digitally signed you will also be given the certificate details.
7. You have the following options to allow the detected file:
    
   • SHA-256: This will restore this file and any components that were cleaned up as part of this detection. 
   • Path: This will restore any files that have been detected and cleaned up in that location.
   • Certificate: This will restore all files signed with the same digital signature that has been detected and cleaned up.
    
8. After allowing an application you will see a confirmation message with a link to the Allowed Applications section, you can use this section to review and revoke any previously allowed applications.

Please give feedback if this helped you out!

Best Regards

Hi,

yes, I know how to release files, but the big question is, if it is safe to release a file. How am I supposed to know if file is false positive without having the chance to send it to Sophos Labs for example. On the other hand in my case it is an inf file. So what you are saying is, that sophos clean is removing it and it is gone for good? What if theis was an false positive? Bad luck?

Hi,

yes, I know how to release files, but the big question is, if it is safe to release a file. How am I supposed to know if file is false positive without having the chance to send it to Sophos Labs for example. On the other hand in my case it is an inf file. So what you are saying is, that sophos clean is removing it and it is gone for good? What if theis was an false positive? Bad luck?

Sorry, then I misunderstood you 

In these circumstances, Sophos suggests using the files SHA-256 hash. For Sophos Central customers, locating the SHA-256 hash of a detected or suspicious file is normally easy, for details on how to do this please see Sophos Central: How to locate a files unique SHA-256 hash. Then put this Hash into VirusTotal to check if other vendors have registered it as malware.

If the hash is unknown, we have here an official way when a file gets detected by central managed endpoints: If the target file has been detected by the endpoint and put into SafeStore you will need to contact Technical Support for them to process the extraction and submission. I know this can take some time, but it's the safest and only official way at the moment. 

Cheers