This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote quarantine cleanup?

A number of our devices have the status "Malware or potentially unwanted applications in quarantine".  Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?



This thread was automatically locked due to age.
Parents
  • Is there an official method for this?

    The thread has multiple suggestions, some of which don't seem to apply anymore, and a community proposal, but this should have an official, Sophos supported solution that is in the KB and not spread out among the discussion groups.

    It is a common request, Sophos should have an official answer with steps and/or tool to accomplish this task.
    Michael

  • Bump for SEVENTY THREE THOUSAND VIEWS..
    Make this an official/supported TID with ACCURATE instructions already Sophos!

    Michael

  • Hi  

    Please follow the below steps when you have bad status even after the file which was detected as malware has been cleaned up, you need to follow the below steps:

    1. On the affected machine, open the Sophos Endpoint and check the status of the machine (green, amber or red).
    2. In the Sophos Central Admin, navigate to the same device. Go to the Status tab and scroll to the bottom of the page. Check for any alerts. If there is, acknowledge the alert.
    3. Reboot the endpoint.
    4. Perform a scan using the Sophos Endpoint installed on the computer.
    5. When the scan is complete, check if the status on the Sophos Endpoint is green. Also, check if the alert on the Sophos Central dashboard has been cleared.

    If there is no alert on the Status tab, Please follow the below steps on the client machine.

    • Disable the Tamper Protection (if enabled).
    • Go to services.msc and stop the Sophos Health Service.
    • Browse to the following folder: C:\ProgramData\Sophos\Health\Event Store\Database.
    • Rename events.db to events.orig.
    • Restart the Sophos Health Service.
    • Open the Task Manager and end the Sophos UI.exe process.
    • Launch a new Sophos UI.exe process from C:\Program Files\Sophos\Sophos UI.exe

    NEXT - Run a full system scan of the affected machine. If the alert returns there is something more here that needs to be investigated. 

    Sometimes, the endpoint will not have green status even after cleanup of the malware on the machine and it will mention that there is malware cleanup required or malware in quarantine on the status tab. 

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • This faulty status problem is becoming more frequent over time, especially when Sophos triggers a cleanup and the program is subsequently authorized at a later date. It seems that authorization within minutes of cleanup works as expected but when the authorization is left for days/weeks/months after the cleanup then the bad status remains.

    Personally I've not seen a scan or reboot fix the bad status - only a full uninstall/re-install or the database reset mentioned above.

    Performing the above steps on one PC is time consuming enough, let alone tens/hundreds/thousands of PCs. Maybe Sophos should consider a bulk reset option in the Central Console to trigger the Health Service Database cleanse on the endpoint(s)?

Reply
  • This faulty status problem is becoming more frequent over time, especially when Sophos triggers a cleanup and the program is subsequently authorized at a later date. It seems that authorization within minutes of cleanup works as expected but when the authorization is left for days/weeks/months after the cleanup then the bad status remains.

    Personally I've not seen a scan or reboot fix the bad status - only a full uninstall/re-install or the database reset mentioned above.

    Performing the above steps on one PC is time consuming enough, let alone tens/hundreds/thousands of PCs. Maybe Sophos should consider a bulk reset option in the Central Console to trigger the Health Service Database cleanse on the endpoint(s)?

Children
  • Hi  

    There can be several reasons when the endpoint is reporting bad health status on the central dashboard. We need to check on the logs, to check why it is showing red health status. The above steps mentioned can only be performed by Support engineer after checking if there are no malicious files present or there are no other issues with Endpoint as it would reset all the event databases. You may raise a feature request here for the bulk reset option from the central console and do post your valuable suggestion for our product management team to have a look and consider its feasibility. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • I would like to add that Endpoint Protection couldn't clean the threat from a temporary Outlook folder (%LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook) until I cleared the "ReadOnly" attribute on the file - something that Sophos Services must do automatically.

  • Hi  

    Sophos AV never alters the permission on the machines because it can be a violation of the permissions setup by user on the machines for the security reasons. It automatically cleans up files where it has appropriate permission to do that and will not be able to clean up the files if the permissions are not in place.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Jasmin said:
    Hi
    0 Points Top 20%
    and 2 others joined Sophos Central.
     

    Sophos AV never alters the permission on the machines because it can be a violation of the permissions setup by user on the machines for the security reasons. It automatically cleans up files where it has appropriate permission to do that and will not be able to clean up the files if the permissions are not in place.

    Sophos Endpoint Protection had permissions to file location - that wasn't a problem. It only had to clear the ReadOnly attribute on the infected file to be able to clean the threat. That way I wouldn't get notifications for days that Endpoint Protection couldn't clean the threat. What's more important - to clean the threat or to not touch infected file's attributes?

  • Hi  

    When any file has read-only checked, it means no one can modify/delete the file and also can't change the permission other than admins.

    Becuase files were read-only Sophos was unable to clean the file from there.

    I'd suggest you open a new thread as the original thread was for a different issue which can confuse other community members who are willing to answer on your post.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Jasmin said:
    Hi
    0 Points Top 20%
    and 2 others joined Sophos Central.
     

    When any file has read-only checked, it means no one can modify/delete the file and also can't change the permission other than admins.

    Becuase files were read-only Sophos was unable to clean the file from there.

    I'd suggest you open a new thread as the original thread was for a different issue which can confuse other community members who are willing to answer on your post.

    That's not true. Users without Administrator role can set and clear file attributes. You are confused between attributes and permissions, which are different properties of the file system objects. I appreciate your suggestion.

  • Hi  

    Sorry for the confusion.

    You're right, I took it as permissions. However, Sophos also never changes the attribute of the file.

    Did you get the notification like Manual clean up required or something like that? If that is the case Sophos had limited access to that or that file.

    I'd request you to submit that file again to the Sophos sample submission portal stating that it was not cleaned up automatically, so labs will check and will correct it if anything is required from Sophos end.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • Jasmin said:
    Hi
    0 Points Top 20%
    and 2 others joined Sophos Central.
     

    Sorry for the confusion.

    You're right, I took it as permissions. However, Sophos also never changes the attribute of the file.

    Did you get the notification like Manual clean up required or something like that? If that is the case Sophos had limited access to that or that file.

    I'd request you to submit that file again to the Sophos sample submission  stating that it was not cleaned up automatically, so labs will check and will correct it if anything is required from Sophos end.

    The file was a Microsoft Outlook document (.msg). I was getting multiple messages that the threat can't be cleaned as Sophos unsuccessfully tried to remove the file from the file system, I don't quite remember about being offered to clean them manually, next time I'll remember to look. I was wondering why Sophos can't clean it, and when I opened file properties to check permissions to make sure the system  and my account have access to the file, I saw the RO attribute was set, so I cleared it, and then Sophos was able to remove the file. If Sophos detects a threat, I think it shouldn't wait for a user permission to change the attributes in order to remove a malicious file, because many users don't know much about computers and how everything works. And by automating this process Sophos would also lower unnecessary tech support calls.

  • Hi  

    When there is a scenario where Sophos can't clean up the file automatically, it generally prompts to remove the file manually because of permissions or attributes assigned to that file or sometimes detection which is created for that file may not have clean up command to remove it from the location.

    Manual clean up is required in such a scenario as Sophos never alters the file attributes, permissions on the machine.

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link