A number of our devices have the status "Malware or potentially unwanted applications in quarantine". Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?
This thread was automatically locked due to age.
Is there an official method for this?
The thread has multiple suggestions, some of which don't seem to apply anymore, and a community proposal, but this should have an official, Sophos supported solution that is in the KB and not spread out among the discussion groups.
It is a common request, Sophos should have an official answer with steps and/or tool to accomplish this task.
Michael
Bump for SEVENTY THREE THOUSAND VIEWS..
Make this an official/supported TID with ACCURATE instructions already Sophos!
Michael
Please follow the below steps when you have bad status even after the file which was detected as malware has been cleaned up, you need to follow the below steps:
If there is no alert on the Status tab, Please follow the below steps on the client machine.
NEXT - Run a full system scan of the affected machine. If the alert returns there is something more here that needs to be investigated.
Sometimes, the endpoint will not have green status even after cleanup of the malware on the machine and it will mention that there is malware cleanup required or malware in quarantine on the status tab.
Regards,
Jasmin
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
This faulty status problem is becoming more frequent over time, especially when Sophos triggers a cleanup and the program is subsequently authorized at a later date. It seems that authorization within minutes of cleanup works as expected but when the authorization is left for days/weeks/months after the cleanup then the bad status remains.
Personally I've not seen a scan or reboot fix the bad status - only a full uninstall/re-install or the database reset mentioned above.
Performing the above steps on one PC is time consuming enough, let alone tens/hundreds/thousands of PCs. Maybe Sophos should consider a bulk reset option in the Central Console to trigger the Health Service Database cleanse on the endpoint(s)?
Hi ChrisKnight
There can be several reasons when the endpoint is reporting bad health status on the central dashboard. We need to check on the logs, to check why it is showing red health status. The above steps mentioned can only be performed by Support engineer after checking if there are no malicious files present or there are no other issues with Endpoint as it would reset all the event databases. You may raise a feature request here for the bulk reset option from the central console and do post your valuable suggestion for our product management team to have a look and consider its feasibility.
Shweta
Hi ChrisKnight
There can be several reasons when the endpoint is reporting bad health status on the central dashboard. We need to check on the logs, to check why it is showing red health status. The above steps mentioned can only be performed by Support engineer after checking if there are no malicious files present or there are no other issues with Endpoint as it would reset all the event databases. You may raise a feature request here for the bulk reset option from the central console and do post your valuable suggestion for our product management team to have a look and consider its feasibility.
Shweta