This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Isolated PC, "Failed to clean up threats" because they were removed. How to re-run the scan?

I have a PC using Sophos Endpoint.  I am not the admin, the admin is not available, and I do not have the admin password.

Version is 

Core Agent 2.6.0

Endpoint Advanced 10.8.6

Sophos Intercept X 2.0.16

Device Encryption Not Installed.

 

Sophos detected malware in an EXE, so I deleted it.  Unfortunately, sophos does not consider deleted a file good enough, as it still lists the files as "Failed to clean up threats."

 

As a result, Sophos bricked the PC (I assume you guys call that 'isolated'), but it is bricked just the same.  It has no internet access.  Not even sophos help works...a big lol to a security system that bricks its own help, but whatever.

 

So.  The files are deleted...how to convince Sophos to re-scan and unbrick the PC?  


There is a 'refresh Events' button, but it does not actually refresh the events...it just assumes the files are still there and leaves the PC Bricked.

There needs to be a way that end users can fix their own PCs when the Admin is not available.  How is this done?

 

 



This thread was automatically locked due to age.
Parents
  • Hi  

    You will require a tamper protection password to remove the device from isolation, or you can contact your IT administrator so that they can remove the device from isolation from central dashboard. Please refer to this article for more information. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.

     

  • Considering we are in a national emergency these days, there needs to be a way to remove a device from isolation without the admin.  How can we get this policy changed?

  • Hi  

    You can turn off the option to isolate red health devices from your Endpoint Threat Protection policy so these don't get isolated moving forward, in the meantime.

    For devices that are currently isolated due to this setting, these would need to be removed from isolation by an Admin.

    Regards, 

     
    DianneY
    Technical Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
  • But it is not a "red health" device.

     

    I fixed the issue.

     

    How can a non-admin get Endpoint to re-test a device?

  • Hi  

    Would you please help us to understand the meaning of re-test a device? What do you want to test on the endpoint?

    Regards,

    Jasmin
    Community Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • I just mean re-run whatever scan the anti-virus used to lock down my PC in the first place.

    In my case, Sophos detected SoftPulse, certainly annoying but not the biggest threat out there.  I removed the infected files, but by then the damage was done....Sophos marked my machine as "isolated" and bricked it.

    Note Sophos did more damage to my machine that the virus.

    I would like to have the ability to re-run the virus scan, and if Sophos did not find the threat anymore, unbrick the device.

    There should be a way to do this.  Note the admin cannot visit my house, because we are under a mandatory stay-at-home order.  You don't want to violate state law, do you?

    I need to be able to do this.  With a bricked device, there is a good chance that I will not be able to contact the admin in any case.  This is unacceptable.

    I need to be able to unbrick my own machine, if I have managed to remove the virus...which I did.

    Please modify the Sophos Endpoint so a user can re-run the scan, and if the virus is not found, the device is no longer "Isoloated" (i.e. bricked.)

     

  • Hi  

    These are Sophos policies that are set by your Admin, and they are the ones who will be able to remove the machine from the "isolated" state.

    Depending on how/why your machine is isolated, will be the process to be followed to get your machine working again. This process involves some action in the Sophos Central Dashboard, and there is no need for a physical visit by an IT administrator.

    For any Sophos product enhancement requests, please submit, or vote on an existing one here.

    Regards, 

     
    DianneY
    Technical Support Engineer | Sophos Support

    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link
Reply Children