Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 2 subscribers
  • Views 3298 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Disable Automatically clean up malware not working

mh3000

Hello everyone,

I'm trying to configure Sophos Intercept X to not to Automatically clean up malware or PUAs when detected on some servers and computers. So I go to the current Threat Protection Policy of the computer where I'm testing and disable the Automatically clean up malware option and save changes.

I test this configuration by unzipping PsTools wich includes PsExec and PsExec64 (usually detected and blocked for being a PUA) and instead of only detect them, a few minutes later Sophos deletes the files.

I'm using a Windows 10 Pro (it is no a  WM) but I have also tested this in a Win Server 2016 without success.

Any suggestions? 

Thanks in advanced.

Best regards,



This thread was automatically locked due to age.
Parents
  • FormerMember
    0 FormerMember

    Please see the documentation: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ConfigureMalwareProtection.html

    Automatically clean up malwareSophos Central will try to clean up detected malware automatically.

    If the cleanup succeeds, the malware detected alert is deleted from the alerts list. The detection and cleanup are shown in the events list.

    Note: We always clean up PE (Portable Executable) files like applications, libraries, and system files, even if you turn off automatic cleanup. PE files are quarantined and can be restored.
  • 0 in reply to FormerMember

    Hello RichardP thak you for your answer.

    Based on this statement "PE files are quarantined and can be restored." How can quarantined files be restored from Sophos Central Admin portal?

  • FormerMember
    0 FormerMember in reply to mh3000

    It is one of the options in a detection event in Central. You can also exclude PEs by hash or by location.

  • 0 in reply to FormerMember

    Thanks for your response.

    So, once I make the exclusion the file is accesisble again? even if It said it was cleaned up?

    If so, one thing with making the exclusion from the event is that it makes the exception for all devices (global), if I take that file hash and put it in an specific exclusion inside one policy, would it "return" the file too?

    Best regards,

  • FormerMember
    0 FormerMember in reply to mh3000

    Exclusions are global - yes. 

    It will be returned with some caveats - if the PE is less than 75MB in size and it is still in the Safe Store.

    Be aware, adding an exclusion will let the PE run without interference - other than from Exploit prevention. With that in mind, folder exclusions are very dangerous and should only be done in specific circumstances.

Reply
  • FormerMember
    0 FormerMember in reply to mh3000

    Exclusions are global - yes. 

    It will be returned with some caveats - if the PE is less than 75MB in size and it is still in the Safe Store.

    Be aware, adding an exclusion will let the PE run without interference - other than from Exploit prevention. With that in mind, folder exclusions are very dangerous and should only be done in specific circumstances.

Children
No Data
Unfiltered HTML