I downloaded Eicar in several versions and was confused about this event in the Sophos Endpoint.
We do not have eicar on an allow list.
Event on the endpoint agent:
and in Central:
In the documentation I found that zip files containing virus are not deleted but then there would be a message like: manual cleanup required.
"If the threat is found in an archive file: Example: Malware not cleaned up: 'EICAR-AV-Test' at '/Users/emk/Downloads/eicarcom2.zip' Manual intervention is typically required. Sophos will not remove an archive file if it contains a threat, as it may also contain an important file you wish to keep. You may want to delete the file in these instances, but this is for you to decide based on if you recognize the file, the location, or if there are important files within the archive"
Example: Malware not cleaned up: 'EICAR-AV-Test' at '/Users/emk/Downloads/eicarcom2.zip'
On the other hand, other eicar test viruses in zip file have been deleted from disk automatically:
I'm confused about the behaviour of the Endpoint. Sometimes it deletes the zip, sometimes not?
Thanks for reaching out.
Were these items detected when running a full system scan, or did on-access scanning pick these up?
on access found them while downloading file to disk (only file scanner enabled)
Today, ~24h after the events happened, we receive all the mails from sophos central about manual cleanup required.
Non of the files have been written to disk because Intercept-X blocked that.
So much confusion caused by the product...
What is that delay good for?
any idea what that allow list could be?
I was not able to replicate this on my end. I'd suggest opening a support case with our team to investigate the "Allow" entry that was generated.
I will also reach out to you via PM to inquire about the settings you have defined in the policy so I may do some more testing.