I'm trying to configure Sophos Intercept X to not to Automatically clean up malware or PUAs when detected on some servers and computers. So I go to the current Threat Protection Policy of the computer where I'm testing and disable the Automatically clean up malware option and save changes.
I test this configuration by unzipping PsTools wich includes PsExec and PsExec64 (usually detected and blocked for being a PUA) and instead of only detect them, a few minutes later Sophos deletes the files.
I'm using a Windows 10 Pro (it is no a WM) but I have also tested this in a Win Server 2016 without success.
Thanks in advanced.
Please see the documentation: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ConfigureMalwareProtection.htmlAutomatically clean up malware: Sophos Central will try to clean…
Please see the documentation: https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ConfigureMalwareProtection.htmlAutomatically clean up malware: Sophos Central will try to clean up detected malware automatically.
If the cleanup succeeds, the malware detected alert is deleted from the alerts list. The detection and cleanup are shown in the events list.
Snr. New Product Introduction Engineer | CISSP | Sophos Technical SupportSupport Videos | Product Documentation | @SophosSupport | Sign up for SMS AlertsIf a post solves your question use the 'Verify Answer' link.
Hello RichardP thak you for your answer.
Based on this statement "PE files are quarantined and can be restored." How can quarantined files be restored from Sophos Central Admin portal?
It is one of the options in a detection event in Central. You can also exclude PEs by hash or by location.
Thanks for your response.
So, once I make the exclusion the file is accesisble again? even if It said it was cleaned up?
If so, one thing with making the exclusion from the event is that it makes the exception for all devices (global), if I take that file hash and put it in an specific exclusion inside one policy, would it "return" the file too?
Exclusions are global - yes.
It will be returned with some caveats - if the PE is less than 75MB in size and it is still in the Safe Store.
Be aware, adding an exclusion will let the PE run without interference - other than from Exploit prevention. With that in mind, folder exclusions are very dangerous and should only be done in specific circumstances.