This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

eicar_com.zip: cleanup aborted because on allow list

I downloaded Eicar in several versions and was confused about this event in the Sophos Endpoint.

We do not have eicar on an allow list.

Event on the endpoint agent:

and in Central:

In the documentation I found that zip files containing virus are not deleted but then there would be a message like: manual cleanup required.

"If the threat is found in an archive file:

Example: Malware not cleaned up: 'EICAR-AV-Test' at '/Users/emk/Downloads/eicarcom2.zip'

Manual intervention is typically required. Sophos will not remove an archive file if it contains a threat, as it may also contain an important file you wish to keep. You may want to delete the file in these instances, but this is for you to decide based on if you recognize the file, the location, or if there are important files within the archive"

On the other hand, other eicar test viruses in zip file have been deleted from disk automatically:

I'm confused about the behaviour of the Endpoint. Sometimes it deletes the zip, sometimes not?



This thread was automatically locked due to age.