PLEASE READ Advisory: Kernel memory issue affecting multiple OS (aka F**CKWIT, KAISER, KPTI, Meltdown & Spectre) for the latest updates.
Malware is the general term we use to describe any computer threats including Trojans, worms, and computer viruses. Sophos Anti-Virus allows you to quickly and easily clean up majority of the malware detected. However, depending on the specific threat detected, the cleanup process may involve number of steps.
This article provides instructions on how to clean up the majority of malware using either the Sophos Enterprise Console or the local anti-virus program.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Anti-Virus for LinuxSophos Anti-Virus for Mac OS XSophos Anti-Virus for OpenVMSSophos Anti-Virus for UnixSophos Anti-Virus for Windows 2000+Enterprise Console
The default configuration of Anti-virus & HIPS policy is to automatically clean up all malware detection and following a successful cleanup, you will not see an alert against the endpoint in the console - this is by design. You are only alerted when an action on your part is required. If you want to see the detection of malware that have been successfully cleaned up, you may check the Computer Details of a computer (double-click a computer name to open), or run a report to see what endpoint computers have detected and cleaned up.
The success of cleaning up a malware depends on whether a full scan has been run on the affected endpoint computer. Some detection requires this. If you have not yet run and completed a full scan you can still continue with the steps below, but if cleanup fails this could be the cause.
To clean the detection on the console:
Items that are successfully cleaned up will disappear from the list. If the endpoint needs to be rebooted for complete cleanup you will see Restart required. Reboot the endpoint to finish cleanup and clear this alert. For other cleanup statuses see Further help cleaning up malware.
To remove malware from a local computer:
Select the items displaying this option and then click Perform action > Clean up. If further action is required (e.g., reboot), Available action will change and it is described elsewhere in this table.
Click the Move option and select either Yes or Yes To All (for multiple items). The detected item(s) is moved from its current folder path to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\. Moving does not delete or clean up the item.
This option is useful when trying to obtain a sample of the file to submit to SophosLabs but it is blocked by the on-access scanner.
The item detected will be categorized as a virus or spyware - not adware or a PUA. Therefore you have the option to Delete the item. Note that if the option to delete appears alongside the option to clean up, we recommended you use the clean up option first. If clean up is unsuccessful use the delete option.
Click the Delete option and Sophos Anti-Virus will remove the entire item from your computer. It will not attempt to remove malicious parts of the file and save the good parts (i.e., a disinfection process).
This option is generally OK for completely malicious files like Trojans (detected as Troj/...). However if the file being detected is a legitimate file (like an important office document you created yourself) you should consider selecting Clean up rather than Delete as this may save enough information in the file so it is not completely lost - however this cannot be guaranteed. If you do have a backup of the file then you can delete the entire file now and restore a clean copy of the file from your backup once your computer is clean.
For further details on running a full scan locally see article 61665.
Normally if cleanup is successful, items should clear from the Quarantine manager completely. If cleanup fails it should mark the item manual cleanup required.
Manual cleanup is commonly required for one of two reasons:
The item detected may actually be a program that can be uninstalled so check this first.
Once you have manually deleted the files from your computer, clear the item from the Quarantine manager.
We recommend that you now run a full scan to confirm your computer is free of malware.
For more information on removing problematic malware see Further help cleaning up malware.
The item has been detected in an area of the computer's hard drive that your account (that you use to log on to the computer with) does not have permission to access. This occurs because your account is not a local administrator of the computer - or any account used to perform actions changes depending on the action. You should log off the computer and log back on with a local administrator account (try another admin account if you believe you should have the correct permissions, or log on with just a local admin account if you are using a domain admin account).
If you are not an IT administrator of the computer, contact your IT service desk to assist with clean up.
It's also important to check your user account's rights for the Quarantine manager. From the Sophos Endpoint Security and Control Home screen, select Anti-virus and HIPS > Configure Anti-virus and HIPS > Configure > User rights for Quarantine manager. If you are logged on as a Windows administrator, ensure you are configured as a Sophos Administrator too.
If you are given the option to Authorize an item then Sophos Anti-Virus has detected that it is either Adware or a potentially unwanted application (PUA). These items are not necessarily malicious.
The option to Authorize may be shown on its own or you may get the choice to either Authorize or Clean up.
See the instructions for No actions (manual cleanup required) above for guidance.
This can be reported when the rootkit disk scan finds hidden files.
Most malware can be cleaned. However, as there are many different types of malware that infect or attempt to infect a computer by various methods, you may need to take extra steps to complete the process.
Understanding your particular scenario can help reveal the problem with clean up. Common problems are shown in the table below with the suggested actions.
From the Enterprise Console the cleanup status shows Cleanup failed
From the Enterprise Console the cleanup status is stuck on
Cleanup in progress
Cleanup timed out
From the Enterprise Console the cleanup status shows Not cleanable
Sophos Anti-Virus requires a full scan but it has not been run.
Run a full system scan locally, or article on how to run a scan from SEC
Note: For Mac computers, most item that fails to be cleaned up is in a Time Machine backup & see article on How to remove malware from a Mac OS X computer.
If your problem isn't listed in the table above, let us know in the article feedback box. Provide as much detail as you can and we'll endeavor to update this article. Note: We cannot reply to individual support requests from the article feedback form. If you need further support, feel free to contact us.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.