eicar_com.zip: cleanup aborted because on allow list

I downloaded Eicar in several versions and was confused about this event in the Sophos Endpoint.

We do not have eicar on an allow list.

Event on the endpoint agent:

and in Central:

In the documentation I found that zip files containing virus are not deleted but then there would be a message like: manual cleanup required.

"If the threat is found in an archive file:

Example: Malware not cleaned up: 'EICAR-AV-Test' at '/Users/emk/Downloads/eicarcom2.zip'

Manual intervention is typically required. Sophos will not remove an archive file if it contains a threat, as it may also contain an important file you wish to keep. You may want to delete the file in these instances, but this is for you to decide based on if you recognize the file, the location, or if there are important files within the archive"

On the other hand, other eicar test viruses in zip file have been deleted from disk automatically:

I'm confused about the behaviour of the Endpoint. Sometimes it deletes the zip, sometimes not?



Edit Tags
[edited by: GlennSen at 7:10 AM (GMT -8) on 24 Jan 2023]