This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable Automatically clean up malware not working

Hello everyone,

I'm trying to configure Sophos Intercept X to not to Automatically clean up malware or PUAs when detected on some servers and computers. So I go to the current Threat Protection Policy of the computer where I'm testing and disable the Automatically clean up malware option and save changes.

I test this configuration by unzipping PsTools wich includes PsExec and PsExec64 (usually detected and blocked for being a PUA) and instead of only detect them, a few minutes later Sophos deletes the files.

I'm using a Windows 10 Pro (it is no a  WM) but I have also tested this in a Win Server 2016 without success.

Any suggestions? 

Thanks in advanced.

Best regards,



This thread was automatically locked due to age.
Parents Reply Children
  • FormerMember
    0 FormerMember in reply to mh3000

    It is one of the options in a detection event in Central. You can also exclude PEs by hash or by location.

  • Thanks for your response.

    So, once I make the exclusion the file is accesisble again? even if It said it was cleaned up?

    If so, one thing with making the exclusion from the event is that it makes the exception for all devices (global), if I take that file hash and put it in an specific exclusion inside one policy, would it "return" the file too?

    Best regards,

  • FormerMember
    0 FormerMember in reply to mh3000

    Exclusions are global - yes. 

    It will be returned with some caveats - if the PE is less than 75MB in size and it is still in the Safe Store.

    Be aware, adding an exclusion will let the PE run without interference - other than from Exploit prevention. With that in mind, folder exclusions are very dangerous and should only be done in specific circumstances.