Unable to delete manually files in quarantine

Hello an_SMB_techteam,

Quarantine (and the quarantine manager) is one thing, Windows (and Explorer) is another. The on-access scanner does not deny delete requests (which would cause kinda deadlock) nor does QM interfere with deletes.

Can you provide details of the detection (threat name, path and name of the files)?

Christian

Path is U:\***\Documents\***\Downloads\SuperOneClickv1.9.1-ShortFuse\Exploits

File is U:\***\Documents\***\Downloads\SuperOneClickv1.9.1-ShortFuse\Exploits\psneuter

Threat is Andr/DroidRt-A

I am connected as the main domain administrator (DOMAINNAME\Administrator)

I click on the file to select it, then I press the "Delete" button on my keyboard.

First, a popup appears in the taskbar :

"Threats detected by Sophos

'Virus/Spyware' Andr/DroidRt-A has been detected and moved to quarantine

Click there to see the Quanrantine Manager"

(this is a translation : English exact equivalent may differ)

Then (a few milliseconds after), a Windows popup window appears :

"Delete several elements

Do you really want to delete permanently these 1 elements ?

[Yes] [No]"

I click on "[Yes]"

The Sophos popup in the taskbar appears again, exactly the same.

A Windows popup appears :

"Access to file denied

You must have permission to perform this action.
You need permission from DOMAINNAME\Administrator to edit this file.
psneuter

Type : File

Size : 572 Ko

Modified : 08/01/11 18:02

[Retry] [Abort]"

One again I am connected as DOMAINNAME\Administrator !!!

When I click on [Retry], the same Windows popup appears endlessly.

Any advice is welcome !

Hello an_SMB_techteam,

the detection is "normal" as Explorer usually accesses the file (depending on the settings this could be when you just browse the folder, when you hover the mouse pointer over it or when you click on it). Haven't seen the following behaviour but then this might as well depend on various settings.

Did you try to get rid of it with an on-demand scan? To do so, open the SESC GUI -> Configure anti-virus and HIPS -> Right-click scanning. Make sure Scan all options in the Scanning tab are checked. On the Cleanup tab select Delete in the Viruses/spyware section. Then in Explorer right-click either the file or the containing folder and request Scan with Sophos Anti-Virus (as an aside, the On-demand exclusions are still respected). This should remove the file.

Christian 

Well, this solution worked and the file is now deleted, thank you for that.

However, I feel a little bit uncomfortable with allowing automatic file deletion on a file server, even for a few moments.

Among our hundrerds of thousands of files, we have at least one false positive (a clean simple MS Word file identified as a virus - the file is clean according to online scanners, including Sophos !)

What if a user accesses a such a file through the network : would his work be lost ? Or does this "automatic file deletion" apply only to a right-click operated on the server itself ?

Regards

Good to hear it worked.

Right-click cleanup settings are not part of the policy - i.e. they are configured on the endpoint (whether workstation or server) only (the other centrally configured cleanup is for scheduled scans) and also do not cause non-compliance. That's one of the purposes of right-click (they others would be scanning an archive before opening it or other items normally not scanned by on-access).

.

Christian

Christian,

So, problem is solved !  Thank you very much.

Kind regards