This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable automatic cleanup of PUA

Hey there.

I know this question has been asked a few years back, but i hope there is an update to this.

I deployed Sophos CIXA on my PC and it started automatically deleting some of my trusted software i use as a network technician.

The files are marked as PUA and therefore automatically cleaned up. i don´t really want to exclude this software from scans.

Is there an option i missed to change automatic cleanup of PUA to "ask first" or be it "quarantine" ?

Thanks in advance for an answer :)



This thread was automatically locked due to age.
  • Hi Lukas_lzs,

    Thanks for reaching out to the Sophos Community Forum. 

    It's not currently possible to prevent the automatic cleanup of PUA's. Additional information on remediation options can be found at the following link. 
    - Threat Protection Policy > Remediation

    I'd suggest creating a new Threat Protection policy for devices which will require access to these admin tools. You'll need to create an exclusion of the type "Potentially Unwanted Application (Windows/Mac)". The name you see referenced in the detection event will also be important, as this needs to be populated into the exclusion UI. 

    For example, in the following detection, you will need to enter "PsExec" as opposed to the path or exe name. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks for the fast reply. 
    Although i had hoped for another answer, this „fixed“ the problem. 
    thanks again.

  • No problem at all. 

    I can see a feature request we've received for your desired behaviour to be added as an option. If you can provide me with your company details via private message, I'd be happy to add this to your account record. This helps our product teams better understand the features customers would like to see implemented.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • There is no way to turn off PUA detection at all or to create an exception with a wildcard instead of a specific PUA name?

    It is a problem for us (or one of our customers) we are unable to:

    1. turn off PUA detection or

    2. create a wildcard exception for a folder or

    3. turn off automatic PUA cleanup.

    Thank you

  • If you'd like to create a more generic exclusion for PUA files, this will need to be done from the "Allowed Applications" page under "General Settings". 
    - Allowed applications

    I was able to designate a folder using the following exclusion. While this is not recommended due to its inherent risks, you may be able to adjust the exclusion to be more specific. You can also specify individual exe files you wish to exclude.
    - C:\Users\CLIENT-04\Downloads\PUAs\*.exe

    Using wildcards and variables will also help you to provide a more specific folder where these applications must reside on a device as well. 
    - Wildcards & Variables

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids