We'd love to hear about it! Click here to go to the product suggestion community
Basically what is says on the tin. I have a client computer that self-isolated due to running malware in quarantine/cleanup error. Removed the offending .exe, updated Sophos, rebooted the PC, ran a new scan, etc.
However, despite the endpoint client not finding anything on other scans, the computer is still listed as Red Health and stuck in isolation. From reading the Community article on isolation, the only way to un-isolate a computer in this situation is to fix the health status. But since the offending file has been removed with no change in health, I'm at a bit of a loss
Compounding this is the fact that the user is work from home without admin rights, so I cannot physically access the desktop
Anyone have a suggestion on this?
Hello Something Clever
You can create a new threat protection policy and assign this to the user (or use the the existing policy assigned to the user) in Sophos Central, and disable the "Allow computers to isolate themselves on red health" setting in the meantime, at least while the user is working remotely. This will at least allow them to use the computer. The Computer Isolation FAQ has further information on this.
Once the user is back on site, you can work on resolving the red status on the machine. Below are some information you can use when applicable:
Security Health - Running malware in quarantine or cleanup failure
Reset events.db (please check out Jasmin's reply for steps)
You could add the computer to the EAP to get Live Response and Live Query going on their computer to troubleshoot it remotely.I would start by looking at the Health registry keys:
You might find this helpful as a guide:
Also check under:
For any outstanding events that have yet to be cleared. SAVService checks the values under here periodically. Say for example a zip file is detected, it might flag it as needing manual intervention for the threat to be cleared. If you delete the zip manually, it can take a while for SAVService to sweep the values in the above key to find that the file has been removed and resolve the threat.
https://community.sophos.com/products/intercept/early-access-program/f/recommended-reads/120153/live-response---viewing-the-raw-json-sophos-health-trail-files might be useful.
Worse can you could stop the Sophos Health service having disabled Tamper Protection (locally: https://community.sophos.com/products/intercept/early-access-program/f/recommended-reads/120148/live-response---don-t-forget-tamper-protection), rename the events.db file under: C:\ProgramData\Sophos\Health\Event Store\Database and then start the service again.
Hope it helps.
In reply to jak:
Hi there, I had the same issue with a user recently, I followed the instructions above but that didn't work.However, what did work for me was the following.-Disable/suspend temper protection on the users local machine.
-Find the event in question and hit the resolve option on the far right. - once that was done, user machine was removed from auto-isolate. Hope it helps