A number of our devices have the status "Malware or potentially unwanted applications in quarantine". Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?
This thread was automatically locked due to age.
Removing the event database as suggested in here worked for me.
Turn off tamper protection, get an administrator prompt and execute:
net stop "Sophos Health Service"
ren "%ProgramData%\Sophos\Health\Event Store\Database\events.db" events.db.old
net start "Sophos Health Service"
To make life even easier lets do it remotely and verified both are actually working.
1. Disable Tamper protection
2. Launch elevated command prompt or Powershell and use one of the two below depending. I know the CMD works, have not tested the PowerShell yet.
CMD
sc \\MachineName stop "Sophos Health Service"
ren "\\MachineName\c$\ProgramData\Sophos\Health\Event Store\Database\events.db" events.db.old
sc \\MachineName start "Sophos Health Service"
PowerShell
stop-service -inputobject $(get-service -ComputerName "MachineName" -Name "Sophos Health Service")
rename-item -path "\\MachineName\c$\ProgramData\Sophos\Health\Event Store\Database\events.db" -newname "events.db.old"
start-service -inputobject $(get-service -ComputerName "MachineName" -Name "Sophos Health Service")
To make life even easier lets do it remotely and verified both are actually working.
1. Disable Tamper protection
2. Launch elevated command prompt or Powershell and use one of the two below depending. I know the CMD works, have not tested the PowerShell yet.
CMD
sc \\MachineName stop "Sophos Health Service"
ren "\\MachineName\c$\ProgramData\Sophos\Health\Event Store\Database\events.db" events.db.old
sc \\MachineName start "Sophos Health Service"
PowerShell
stop-service -inputobject $(get-service -ComputerName "MachineName" -Name "Sophos Health Service")
rename-item -path "\\MachineName\c$\ProgramData\Sophos\Health\Event Store\Database\events.db" -newname "events.db.old"
start-service -inputobject $(get-service -ComputerName "MachineName" -Name "Sophos Health Service")