Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 3 replies
  • Subscribers 3 subscribers
  • Views 27959 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How do I recover files from Quarantine Manager in the case of a false positive?

SkiKacoroski

I am concerned about recovering files from our Quarantine Manager. I have attempted to copy these files and even change ownership of them. I need a simple method to put these files back in the right place if something is falsely detected like a program that a developer has written.

We use Sophos Endpoint Security and Control combined with EMC CEE and Sophos Anti-Virus for NetApp. Sophos ESC is installed on a Windows Server and the Quarantine Manager saves the files to a share on one of the 4 Sophos ESC servers that we have running.

I have tested this with a simple EICAR text file and found that there is no way to recover the file or move it. I also could not find a way to whitelist this file.



This thread was automatically locked due to age.
Parents
  • 0

    Hello,
    Its not clear but I assume you are referring to OnAccess detections, it will also depend on how you have configured the OnAccess clean up options.

    If you have 'Deny access and move to' configured then the malware will be moved to the location specified. I tested this setting with EiCAR and saw the file had been moved to the quarantine folder. I was then able to see the EiCAR file as txt as this extension is not scanned by SAV.

    In a real world scenario if the file type is one that Sophos scans then it is better to send a sample to Sophos if you believe it is a FP, SophosLabs can then nalyse the situation and quickly update the identity or, in some cases, issue a "clean identity" so that it is no longer recognised as a threat.

    You mention programs in your query, if we detect a Potentially Unwanted Application (PUA) it is possible to autorize PUAs, Suspicious files etc in either policy or the client. It is not possible to autorize files Sophos deem to be malware without submitting a sample.

  • 0 in reply to StephenMcKay

    From what I can tell there's no way to move a file to quarantine for further review. I can disable on access scanning and finally move files but do I have to disable/re-enable this on-access scanning each time? There is no option for "move to quarantine" It either blocks access, moves to quarantine and blocks access or deletes immediately.

    I am not comfortable disabling the AV even for a short period of time to move a file.

    I have used the configuration guide for NetApp and followed the instructions and that is why I have on-access scanning enabled on each of my CEE servers.

    If I disable on-access scanning on the CEE server will my NetApp still be able to use my CEE server to scan files and move viruses to quarantine?

    OR

    Do I need to disable the AV on the quarantine server each time I need to restore someones file?

    How do I find out where the file originated from? I cannot find any record of where they came from only that they exist in the quarantine.

    Since the files are moved to quarantine is there a way to track their original locations?

    Sorry about all the questions but I feel these questions seem to be very unique as not everyone wishes to restore a quarantined file.

  • 0 in reply to SkiKacoroski

    hello,

    If this is a file Sophos believes to be malware, access will be blocked even if the file is moved. Even if you disable AV to review the file or restore the file, it will get quarantined the next time the file is accessed as it will still be seen as malicious.

    Submitting the files to SophosLabs is the best way to address a false positive detection.

    Regards,

    Stephen

Reply
  • 0 in reply to SkiKacoroski

    hello,

    If this is a file Sophos believes to be malware, access will be blocked even if the file is moved. Even if you disable AV to review the file or restore the file, it will get quarantined the next time the file is accessed as it will still be seen as malicious.

    Submitting the files to SophosLabs is the best way to address a false positive detection.

    Regards,

    Stephen

Children
No Data
Unfiltered HTML