Remote quarantine cleanup?

Question

A number of our devices have the status " Malware or potentially unwanted applications in quarantine". Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?

Arno Zielke · Answer

Removing the event database as suggested in here worked for me. 
 Turn off tamper protection, get an administrator prompt and execute: 
 net stop "Sophos Health Service" ren "%ProgramData%\Sophos\Health\Event Store\Database\events.db" events.db.old net start "Sophos Health Service"

B_B · Answer

To make life even easier lets do it remotely and verified both are actually working. 
 1. Disable Tamper protection 
 2. Launch elevated command prompt or Powershell and use one of the two below depending. I know the CMD works, have not tested the PowerShell yet. 
 
 CMD sc \MachineName stop "Sophos Health Service" ren "\MachineName\c$\ProgramData\Sophos\Health\Event Store\Database\events.db" events.db.old sc \MachineName start "Sophos Health Service" 
 PowerShell 
 stop-service -inputobject $(get-service -ComputerName "MachineName" -Name "Sophos Health Service") 
 rename-item -path "\MachineName\c$\ProgramData\Sophos\Health\Event Store\Database\events.db" -newname "events.db.old" 
 start-service -inputobject $(get-service -ComputerName "MachineName" -Name "Sophos Health Service")

Jeewan Wajiranga · Answer

Removing the event database as suggested in here worked for me. 
 Turn off tamper protection, get an administrator prompt and execute: 
 net stop "Sophos Health Service" ren "%ProgramData%\Sophos\Health\Event Store\Database\events.db" events.db.old net start "Sophos Health Service"

Jeewan Wajiranga · Answer

First you have to disable tamper protection of that endpoint. then simply click on the red color or amber color sophos helth status then it will direct you to Malware or potentially unwanted applications in quarantine with resolve button enabled.then click on the resolve button. Just IT :)

Steve Custer · Answer

I know this is an older thread, but FYI, I wanted to let everyone know I wrote a PowerShell function to allow your help desk to perform the health service reset without annoying the user. You'll need to login to Sophos Central to get the Tamper Protection Password. Then, import the Powershell Module and run: "Reset-SophosHealthService -ComputerName -TamperProtectionPassword " It will then jump through the hoops - turn off tp, stop the service, rename the db, start the service, and turn on tp. Of course you need local admin on the target computer. You can find the module on my public git repo: Sophos.psm1 Hopefully that helps someone. My goal was to make it easier for the help desk to handle these issues so that I didn't have to.

Jasmin · Answer

Hi Michael McGee 
 Please follow the below steps when you have bad status even after the file which was detected as malware has been cleaned up, you need to follow the below steps: 
 
 On the affected machine, open the Sophos Endpoint and check the status of the machine (green, amber or red). 
 In the Sophos Central Admin, navigate to the same device. Go to the Status tab and scroll to the bottom of the page. Check for any alerts. If there is, acknowledge the alert. 
 Reboot the endpoint. 
 Perform a scan using the Sophos Endpoint installed on the computer. 
 When the scan is complete, check if the status on the Sophos Endpoint is green. Also, check if the alert on the Sophos Central dashboard has been cleared. 
 
 If there is no alert on the Status tab, Please follow the below steps on the client machine. 
 
 Disable the Tamper Protection (if enabled). 
 Go to services.msc and stop the Sophos Health Service. 
 Browse to the following folder: C:\ProgramData\Sophos\Health\Event Store\Database. 
 Rename events.db to events.orig. 
 Restart the Sophos Health Service. 
 Open the Task Manager and end the Sophos UI.exe process. 
 Launch a new Sophos UI.exe process from C:\Program Files\Sophos\Sophos UI.exe 
 
 NEXT - Run a full system scan of the affected machine. If the alert returns there is something more here that needs to be investigated. 
 Sometimes, the endpoint will not have green status even after cleanup of the malware on the machine and it will mention that there is malware cleanup required or malware in quarantine on the status tab.