Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 9211 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PUA won't clear

Weeboo

We have a device that enterprise console picked up the C: drive as being infected with BitCoinMiner - over a month ago

I tried to clean it - but it was "uncleanable" so the device was rebuilt - yet it is still in the PUA box on the console

It is clean/not infected - yet "protecting" the device does not clear it from the infected box

How do I remove it from this box ?



This thread was automatically locked due to age.
Parents
  • +1

    Hello Weeboo,

    there are two ways an Alert or Error is cleared from the console: 1) applicable action is taken on the endpoint, 2) it is acknowledged using right-click → Resolve Alerts and Errors on selected computers or groups. For some alerts or errors only one of the options is available. In case of a detection applicable means that it is cleaned up or deleted by SAV (automatically, an appropriate request using the Quarantine Manager, a scheduled or on-demand scan with the appropriate settings, a request from the console if available) or removed from (the list in) QM. When you manually delete the offending item, or wipe and reinstall the machine (or reset it if it's a VM) then SAV isn't aware of this and consequently can't inform the console. Thus you have to acknowledge the alert in the console.
    Note that you can't acknowledge download or installation errors, neither from the local machine nor from the console. In these cases when the endpoint notifies the console of a successful download or install (even after rebuilding the device) the error is cleared.

    Christian     

  • 0 in reply to QC

    I have a similar problem and I think I must be missing something.

    Sophos flagged 2 PUAs, minerd.exe & cgminer-nogpu.exe. It was unable to clean them so I removed them manually by uninstalling the software. I then acknowledged the alert on Sophos Central. The affected computer still says there is a threat detected both on the endpoint software and in Sophos Central. Sophos Central says "Malware or potentially unwanted applications in quarantine" in the status.

    I have 2 machines like this and would like to get them cleared.

    Thanks in advance, Tom.

  • 0 in reply to TomVivian

    Hello Tom,

    is it possible that this is a recurring detection? Just asking, you've probably checked.

    Management and the endpoint's UI differ between SESC and Central, I only know Central from the docs and while the Admin help speaks of a local Quarantine Manager the Endpoint help doesn't know quarantine. Perhaps you should ask in the Central forum.

    Christian

Reply
  • 0 in reply to TomVivian

    Hello Tom,

    is it possible that this is a recurring detection? Just asking, you've probably checked.

    Management and the endpoint's UI differ between SESC and Central, I only know Central from the docs and while the Admin help speaks of a local Quarantine Manager the Endpoint help doesn't know quarantine. Perhaps you should ask in the Central forum.

    Christian

Children
No Data
Unfiltered HTML