Sophos Central Firewall Manager (CFM) maintenance scheduled for Wednesday, July 8th starting at 06:30 GMT. Expected time to complete is 5 hours. Partners will be unable to access CFM during this period.

Isolated PC, "Failed to clean up threats" because they were removed. How to re-run the scan?

I have a PC using Sophos Endpoint.  I am not the admin, the admin is not available, and I do not have the admin password.

Version is 

Core Agent 2.6.0

Endpoint Advanced 10.8.6

Sophos Intercept X 2.0.16

Device Encryption Not Installed.

 

Sophos detected malware in an EXE, so I deleted it.  Unfortunately, sophos does not consider deleted a file good enough, as it still lists the files as "Failed to clean up threats."

 

As a result, Sophos bricked the PC (I assume you guys call that 'isolated'), but it is bricked just the same.  It has no internet access.  Not even sophos help works...a big lol to a security system that bricks its own help, but whatever.

 

So.  The files are deleted...how to convince Sophos to re-scan and unbrick the PC?  


There is a 'refresh Events' button, but it does not actually refresh the events...it just assumes the files are still there and leaves the PC Bricked.

There needs to be a way that end users can fix their own PCs when the Admin is not available.  How is this done?

 

 

  • Hi  

    You will require a tamper protection password to remove the device from isolation, or you can contact your IT administrator so that they can remove the device from isolation from central dashboard. Please refer to this article for more information. 

  • In reply to Shweta:

    Considering we are in a national emergency these days, there needs to be a way to remove a device from isolation without the admin.  How can we get this policy changed?

  • In reply to Jim Oliver:

    Hi  

    You can turn off the option to isolate red health devices from your Endpoint Threat Protection policy so these don't get isolated moving forward, in the meantime.

    For devices that are currently isolated due to this setting, these would need to be removed from isolation by an Admin.

  • In reply to DianneY:

    But it is not a "red health" device.

     

    I fixed the issue.

     

    How can a non-admin get Endpoint to re-test a device?

  • In reply to Jim Oliver:

    Hi  

    Would you please help us to understand the meaning of re-test a device? What do you want to test on the endpoint?

  • In reply to Jasmin:

    I just mean re-run whatever scan the anti-virus used to lock down my PC in the first place.

    In my case, Sophos detected SoftPulse, certainly annoying but not the biggest threat out there.  I removed the infected files, but by then the damage was done....Sophos marked my machine as "isolated" and bricked it.

    Note Sophos did more damage to my machine that the virus.

    I would like to have the ability to re-run the virus scan, and if Sophos did not find the threat anymore, unbrick the device.

    There should be a way to do this.  Note the admin cannot visit my house, because we are under a mandatory stay-at-home order.  You don't want to violate state law, do you?

    I need to be able to do this.  With a bricked device, there is a good chance that I will not be able to contact the admin in any case.  This is unacceptable.

    I need to be able to unbrick my own machine, if I have managed to remove the virus...which I did.

    Please modify the Sophos Endpoint so a user can re-run the scan, and if the virus is not found, the device is no longer "Isoloated" (i.e. bricked.)

     

  • In reply to Jim Oliver:

    Hi  

    These are Sophos policies that are set by your Admin, and they are the ones who will be able to remove the machine from the "isolated" state.

    Depending on how/why your machine is isolated, will be the process to be followed to get your machine working again. This process involves some action in the Sophos Central Dashboard, and there is no need for a physical visit by an IT administrator.

    For any Sophos product enhancement requests, please submit, or vote on an existing one here.

  • In reply to DianneY:

    How do I contact the admin with a bricked machine?

  • In reply to Jim Oliver:

    Hi  

    You should be able to contact them via phone or from a different device; following your company's IT policy/processes.

  • In reply to DianneY:

    And if they are not available?

  • In reply to Jim Oliver:

    Hi  

    There is always an IT policy which provides the path in case if admin is not available whom you need to contact. That is the reason  has also mentioned about IT policy in his statement.