Running malware in quarantine or cleanup failure

I see a few clients in my console that have this listed under there Status - How can I resolve this alert for them?

I have seen a few post for this, but no real clear indicator of how to resolve this, so if someone can tell me what needs to be done I would appreciate it!

TIA!

  • Hi Jeff, 

    Can you please try the following suggestions and let me know if you are still seeing the alert?

    > Reboot.
    > Full Scan on the reported client machine.
    > Resolve the alerts in the central console.
    > Sophos clean scan (If the alert is still seen after the full scan)
    > Confirm if the file is still present in the actual folder location.

  • In reply to Gowtham Mani:

    I rebooted, alert still present

    I did full scan - alert still present

    How do I Resolve the alert in the central console, when it does not even show me what the actual issue is?

  • In reply to Jerry Gonzales:

    I'm having the same issue. There is no threat on my device but I'm having a difficult time removing the alert.

  • In reply to Jerry Gonzales:

    Hi Jerry,

     

    I found a way to clear the alert. Once you have verified that any threat has been removed, open Sophos Endpoint> Log in as Admin> Go to Events> Find the alert> Select "Ignore". Once the device communicates with Sophos Central, the alert will be removed there as well.

     

    Hope this helps.

     

    Mike

  • In reply to Michael Smith4:

    I am unable to find the option to ignore in the Sophos Endpoint.  And as you can see from the screen shot, I also can't read the full path to where the offending file is located. 

     

  • In reply to Jerry Gonzales:

    You have to select "Admin Login" and enter your credentials first

  • In reply to Michael Smith4:

    That did it, thanks

     

    For those who don't know how to log "Admn Login", you need to go to Sophos Central, select your server in the Summary Tab, select Show Details for the Tamper Protect.  Select show password, copy and paste the password into the server for the "Admin Login". 

     

  • In reply to Michael Smith4:

    Michael Smith4

    Hi Jerry,

    I found a way to clear the alert. Once you have verified that any threat has been removed, open Sophos Endpoint> Log in as Admin> Go to Events> Find the alert> Select "Ignore". Once the device communicates with Sophos Central, the alert will be removed there as well.

    Hope this helps.

     Mike

     

     
    I have the same issue here, but I can't do this step as Central Events won't go back far enough. The event happened Oct 18th, 2018 and the Central events only go back 90 days which stops at Oct 31, 2018 as of today. So  my endpoint shows red because I can't clear the Oct 18th event which is already clean. What do I do?
  • In reply to Shawn Lyman:

    Hi  

    Can you enable remote assistance in your Central account and PM your license (Along with the client machine details) so that I can take a look into it? Since its past 90days, we might have to reach our backend team.

  • You can close this tread.  The last answer worked. Thanks