This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Apple Mac Endpoint - manage items in Quarantine

I wanted to consult documentation before calling and support the user remotely. Unfortunately, all I could find were old forum posts and documentation for retired products. Is there something helpful I can read about it? As I'm not using a Mac I'm not familiar with the Sophos endpoint on it.

There was a false positive Cryptoguard detection that has been resolved, caused by a Google Chrome update.

This thread was automatically locked due to age.
  • Hi  ,

    Thank you for reaching out to the Sophos Community Forum. If this has already been resolved and you're looking to reset the health status, you may reset the detection count on Mac endpoint.

    If that doesn't work, you may perform the following steps:

    1. Turn off the Tamper Protection.
    2. Click on Go from the Finder menu and then select Computer.
    3. Enter the startup volume which is usually Macintosh HD.
    4. Go to Library > Sophos Anti-Virus.
    5. Rename the file events.db to events_old.db
    6. (only if malware events need to be cleared) Rename the file quarantine*.db to quarantine*.old
    7. (only if malware events need to be cleared) Rename the file quarantine*.db-shm to quarantine*.shm.old
    8. (only if malware events need to be cleared) Rename the file quarantine*.db-wal to quarantine*.wal.old
    9. Enter the Mac admin password to authorize the change.
    10. After a few seconds, new files should be created.
    11. Verify that the Sophos Endpoint user interface status and events count are green and 0, respectively.
    12. Turn on the Tamper Protection.

    We recommend to only perform these steps if the Reset Summary option didn’t work. Please let me know how it goes.

    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi  and thanks for your reply.

    Minutes before I wrote my first post, I acknowledged the alert in central. that's when the endpoint changed from red to "yellow", showing the quarantine message and this event:

    In the meantime I did nothig. I checked the machine now again in central and it changed from yellow to green without any doing. No more warning about quarantine.

    self healing or it just needes more time...