How to get rid of "Malware or potentially unwanted applications in quarantine" warning?

Hi,

The options with Potentially Unwanted Applications (PUAs) are:
1. Authorize
2. Cleanup.
3. Choose to ignore the alert but that won't really do anything other than hide it from the Console side as an outstanding item to deal with.

The first thing to determine is if you want it in your organization. Maybe it's a system tool that some users need others don't etc. You may have to do a little bit of research to find out what it is exactly to make this decision. The PUA category of alerts covers software Sophos believes you may be interested in knowing are on your network to allow you to make a decision.

If you want to allow this software you can make an exclusion for it based on the give SophosLab's name. E.g for something like PsExec.exe (technet.microsoft.com/.../psexec.aspx), the Sysinternals tool, this has the Sophos Labs name of PsExec (www.sophos.com/.../PsExec.aspx), which is the value you should exclude it as when choosing an exclusion of type PUA. I.e. It's not the file name but the identifier given to the software by SophosLabs.

You can exclude the item globally under:
cloud.sophos.com/.../global-exclusions.
This will allow all users on all devices to run it. If you need more control you can go into a specific policy and choose to allow it.

If you want to clean it up; on the Dashboard, when the alert comes in there is the option to authorize (adds it to the global policy mentioned above) or clean it up. The clean-up action, if available will in effect send a instruction to the endpoint to initiate the same cleanup routine that you can see in the client Quarantine Manager.

If you want to clean it up, but don't have the alert in the Control Center, you could do it from the client if the option is available. Some items that don't offer cleanup you might just have to use Programs and Features to uninstall it. It depends on the software how best to remove it.

I hope this helps.

Regards,
Jak

Hi,

The options with Potentially Unwanted Applications (PUAs) are:
1. Authorize
2. Cleanup.
3. Choose to ignore the alert but that won't really do anything other than hide it from the Console side as an outstanding item to deal with.

The first thing to determine is if you want it in your organization. Maybe it's a system tool that some users need others don't etc. You may have to do a little bit of research to find out what it is exactly to make this decision. The PUA category of alerts covers software Sophos believes you may be interested in knowing are on your network to allow you to make a decision.

If you want to allow this software you can make an exclusion for it based on the give SophosLab's name. E.g for something like PsExec.exe (technet.microsoft.com/.../psexec.aspx), the Sysinternals tool, this has the Sophos Labs name of PsExec (www.sophos.com/.../PsExec.aspx), which is the value you should exclude it as when choosing an exclusion of type PUA. I.e. It's not the file name but the identifier given to the software by SophosLabs.

You can exclude the item globally under:
cloud.sophos.com/.../global-exclusions.
This will allow all users on all devices to run it. If you need more control you can go into a specific policy and choose to allow it.

If you want to clean it up; on the Dashboard, when the alert comes in there is the option to authorize (adds it to the global policy mentioned above) or clean it up. The clean-up action, if available will in effect send a instruction to the endpoint to initiate the same cleanup routine that you can see in the client Quarantine Manager.

If you want to clean it up, but don't have the alert in the Control Center, you could do it from the client if the option is available. Some items that don't offer cleanup you might just have to use Programs and Features to uninstall it. It depends on the software how best to remove it.

I hope this helps.

Regards,
Jak