"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
'Malware' is the general term we use to describe any and all computer threats including Trojans, Worms, and computer Viruses. Sophos Anti-Virus allows you to quickly and easily clean up the majority of malware detected. However, depending on the specific threat detected, the cleanup process may involve a number steps.
This article provides instructions on how to clean up the majority of malware using either the central Enterprise Console or the local anti-virus program.
Applies to the following Sophos products and versions Sophos Anti-Virus for LinuxSophos Anti-Virus for Mac OS XSophos Anti-Virus for OpenVMSSophos Anti-Virus for UnixSophos Anti-Virus for Windows 2000+Enterprise Console
To clean a detection in the console:
Any item successfully cleaned up will disappear from the list. If the endpoint needs to be rebooted for complete cleanup you will see 'Restart required' and hence should reboot the endpoint to finish cleanup and clear this alert. For other cleanup statuses see the Further help cleaning up malware section below.
Follow the section that applies to the operating system installed on your computer.
To remove malware from the local computer:
Select the items displaying this option and then click 'Perform action' | 'Clean up'. If further action is required (e.g., reboot) the Available action will change and it is described elsewhere in this table.
Click the 'move' option and select either 'Yes' or 'Yes To All' (for multiple items). The detected item(s) is moved from its current folder path to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\. Moving does not delete or cleanup the item.
This option is useful when trying to obtain a sample of the file to submit to SophosLabs but it is blocked by the on-access scanner.
The item detected will be categorized as a virus or spyware - not adware or a PUA. Therefore you have the option to 'delete' the item. Note: If the option to delete appears alongside the option to clean up, we recommended you use the clean up option first. If clean up is unsuccessful use the delete option.
Click the 'Delete' option and Sophos Anti-Virus will remove the entire item from your computer. It will not attempt to remove malicious parts of the file and save the good parts (i.e., a disinfection process).
This option is generally OK for completely malicious files like Trojans (detected as 'Troj/...'). However if the file being detected is a legitimate file (like an important office document you created yourself) you should consider selecting 'Clean up' rather than 'Delete' as this may save enough information in the file so it is not completely lost - however this cannot be guaranteed. If you do have a backup of the file then you can delete the entire file now and restore a clean copy of the file from your backup once your computer is clean.
For further details on running a full scan locally see article 61665.
Normally if cleanup is successful, items should clear from the Quarantine Manager completely. If cleanup fails it should mark the item 'manual cleanup required' (see below).
Manual cleanup is commonly required for one of two reasons:
The item detected may actually be a program that can be uninstalled so check this first.
Once you have manually deleted the files from your computer, clear the item from the Quarantine Manager.
We recommend that you now run a full scan to confirm your computer is free of malware.
For more information on removing problematic malware see the Further help cleaning up malware section at the bottom of this article.
The item has been detected in an area of the computer's hard drive that your account (that you use to log on to the computer with) does not have permission to access. Generally this occurs because your account is not a local administrator of the computer - the account used to perform actions changes depending on the action. You should log off the computer and log back on with a local administrator account (try another admin account if you believe you should have the correct permissions, or log on with just a local admin account if you are using a domain admin account).
If you are not an IT administrator of the computer, contact your IT service desk to assist with cleanup.
It's also important to check your user account's rights for the Quarantine manager. From the Sophos Endpoint Security and Control Home screen, select Anti-virus and HIPS | Configure anti-virus and HIPS | Configure | User rights for Quarantine manager. If you are logged on as a Windows administrator, ensure your are configured as a 'Sophos Administrator' too.
If you are given the option to 'Authorize' an item then Sophos Anti-Virus has detected that it is either Adware or a Potentially Unwanted Application (PUA). These items are not necessarily malicious.
The option to 'Authorize' may be shown on its own or you may get the choice to either 'Authorize' or 'Clean up'.
This can be reported when the rootkit disk scan finds 'hidden' files.
Most malware can be cleaned up in a few clicks. However, as there are many different types of malware that infect, or attempt to infect, a computer by various methods, you may need to take extra steps to complete the process.
Understanding your particular scenario can help reveal the problem with cleanup. Common problems are shown in the table below, along with suggested further actions.
From the Enterprise Console the cleanup status shows 'Cleanup failed'
From the Enterprise Console the cleanup status is stuck on 'Cleanup in progress' for a long time or says 'Cleanup timed out'
From the Enterprise Console the cleanup status shows 'Not cleanable'
Sophos Anti-Virus requires a full scan but it has not been run.
Run a full scan. See article 61665 for how to run a full scan locally, or article 25358 for how to run it from Enterprise Console
Note: For Mac computers, most commonly the item that fails to be cleaned up is in a Time Machine backup - see article 118117 for more details.
If your problem isn't listed in the table above let us know in the article feedback box. Provide as much detail as you can and we'll endeavor to update this article. Note: We cannot reply to individual support requests from the article feedback form. If you need further support contact us and for more advice on removing problematic malware files see article 14443.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.