A number of our devices have the status "Malware or potentially unwanted applications in quarantine". Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?
This thread was automatically locked due to age.
A number of our devices have the status "Malware or potentially unwanted applications in quarantine". Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?
Hi ChrisKnight
There can be several reasons when the endpoint is reporting bad health status on the central dashboard. We need to check on the logs, to check why it is showing red health status. The above steps mentioned can only be performed by Support engineer after checking if there are no malicious files present or there are no other issues with Endpoint as it would reset all the event databases. You may raise a feature request here for the bulk reset option from the central console and do post your valuable suggestion for our product management team to have a look and consider its feasibility.
Shweta
Jasmin said:HiSophos AV never alters the permission on the machines because it can be a violation of the permissions setup by user on the machines for the security reasons. It automatically cleans up files where it has appropriate permission to do that and will not be able to clean up the files if the permissions are not in place.
Sophos Endpoint Protection had permissions to file location - that wasn't a problem. It only had to clear the ReadOnly attribute on the infected file to be able to clean the threat. That way I wouldn't get notifications for days that Endpoint Protection couldn't clean the threat. What's more important - to clean the threat or to not touch infected file's attributes?
Jasmin said:HiWhen any file has read-only checked, it means no one can modify/delete the file and also can't change the permission other than admins.
Becuase files were read-only Sophos was unable to clean the file from there.
I'd suggest you open a new thread as the original thread was for a different issue which can confuse other community members who are willing to answer on your post.
That's not true. Users without Administrator role can set and clear file attributes. You are confused between attributes and permissions, which are different properties of the file system objects. I appreciate your suggestion.
Jasmin said:HiSorry for the confusion.
You're right, I took it as permissions. However, Sophos also never changes the attribute of the file.
Did you get the notification like Manual clean up required or something like that? If that is the case Sophos had limited access to that or that file.
I'd request you to submit that file again to the Sophos sample submission
stating that it was not cleaned up automatically, so labs will check and will correct it if anything is required from Sophos end.
The file was a Microsoft Outlook document (.msg). I was getting multiple messages that the threat can't be cleaned as Sophos unsuccessfully tried to remove the file from the file system, I don't quite remember about being offered to clean them manually, next time I'll remember to look. I was wondering why Sophos can't clean it, and when I opened file properties to check permissions to make sure the system and my account have access to the file, I saw the RO attribute was set, so I cleared it, and then Sophos was able to remove the file. If Sophos detects a threat, I think it shouldn't wait for a user permission to change the attributes in order to remove a malicious file, because many users don't know much about computers and how everything works. And by automating this process Sophos would also lower unnecessary tech support calls.
