Thread Info
Options
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Removed from quarantine list

Shana

I have noticed a new Action Taken catagory within the Sophos Enterprise Console  for Endpoint Secuirty and Control ver 9 call "Removed from quarantine list".  What does this mean?  DId the user remove the virus from the Quarantine manager or did Sophos do something internally?

:1184


This thread was automatically locked due to age.
  • 0

    I am also having the same "issue" and would like more information about this.

    I guess I'll contact support directly and see what I can find out. I'll post back.

    :1577
    • 0

       Did you figure this out with support personnel?

      1/19/2011 7:04:34 AM     Suspicious behavior            c:\documents and settings\633431\local settings\temporary internet files\Content.IE5\IXQ9TKDX\nova[1].exe          None     user     
      1/19/2011 7:03:43 AM     Virus/spyware               C:\Documents and Settings\633431\Application Data\Sun\Java\Deployment\cache\6.0\58\1554d1ba-5f7bcd4f          Removed from quarantine list     NT AUTHORITY\SYSTEM      
      1/19/2011 7:03:37 AM     Virus/spyware                C:\Documents and Settings\633431\Application Data\Sun\Java\Deployment\cache\6.0\58\1554d1ba-5f7bcd4f          Blocked     user  
      1/19/2011 7:03:30 AM     Virus/spyware               C:\Documents and Settings\633431\Application Data\Sun\Java\Deployment\cache\6.0\58\1554d1ba-2850515e          Removed from quarantine list     NT AUTHORITY\SYSTEM      
      1/19/2011 7:03:22 AM     Virus/spyware               C:\Documents and Settings\633431\Application Data\Sun\Java\Deployment\cache\6.0\58\1554d1ba-2850515e          Blocked     user  
      1/7/2011 3:47:55 PM     Virus/spyware           h__p://www1.505.ru/i.php          Cleaned up     user    
      :8059
      • 0

        Hi,

        Just did a quick test... If you detect eicar.com on a client machine, an entry gets created in the QM on the client and you get an alert in SEC.  If however the file, lets say C:\eicar.com is deleted by the user or an application for example: The QM on the client doesn't update as it doesn't constantly check that everything that has been detected is still on disk, presumably for performance reasons.

        So then in SEC you might issue a clean-up on C:\Eicar.com as it's still outstanding in SEC, this essentially fails as the file has already been deleted; hence "Removed from quarantine list".  It then clears the alert in SEC as essentially the threat has been dealt with.  It seems like just extra info to me that the file has been removed externally to SAV which can often be the case if a file is in a temp location and then purged.

        Regards,

        Jak

        :8061
        • 0

          I agree with jak, this was the response I got from support (sorry I never got around to posting it!)

          You may have another threat that is dropping the file, you might have a new variant of a threat that is causing the file to reappear, or it might be an older alert on that system that didn't get cleared. Clearing the existing alerts locally on the system will confirm it is not an older alert that didn't get cleared. By running the full scan all of your files and it will look to make sure the file is cleaned, adding the suspicious files and PUA scanning options to that scan will also look for other things on the system you might not be scanning for as part of your on access scanning. In order for cleanup to be an automatic all components of the a threat must be found on the system and that is why all files should be scanned.

          :8081
          Unfiltered HTML