PUA "remnants" persistent in Windows 10 Sophos Home. Conflicting Support Responses.

Sophos does not recommend adding exclusions unless you are 100% sure the application is safe. We recommend customers submit a sample of the application's executable (.exe) to Sophos' Lab for a review and, if needed, a re-categorization https://secure2.sophos.com/en-us/support/submit-a-sample.aspx

The above is an excerpt from the Sophos Home Support Page Adding-local-exclusions-Allowing-Installations-and-or-applications-to-run

I have a year's subscription to Sophos Home Premium. Links in the Community for Sophos Home take me to the minimalist Sophos Home Support pages.

From 5 January through 2 March I attempted to have this advice acted upon by Sophos Home Support.

This involved multiple chats, reinstalls, reboots, scans, screenshots and SDU Log uploads.

Highlights(not) of Support:

  • Do you really need the Application?
  • Are you sure you submitted it?
  • If the response had outdated links in it you must have submitted it in the wrong place
  • to prevent these messages from cluttering your dashboard, we suggest not running scans via "scan computer"
  • Please let me know if you have any further questions

Today I ran a scan via "scan computer", it showed 100s of PUA remnants and also 13 tracking/malicious cookies. The right click full PC scan did not show anything, nor did the scheduled remote scan.

I was advised to "Let Real-Time protection do its job and you will be protected"

Therefore the Sophos app on my Taskbar becomes a glorified link to the settings, and cookies go unnoticed.

Adding Folders as cloud exceptions or local .exe files makes no difference to outcome. I was informed the Exception Folders will not be scanned for changes By Sophos.

Does this also mean not covered by the real-time protection?

The application in question is CleanMyPC a system tool from MacPaw who also have CleanMyMac. CCleaner is the nearest equivalent in capabilities/system permissions.

CCleaner is on the LABs PUA controlled list.

 

 

 

  • Hi Aliss,

    I am very sorry to hear that your experience with support was not satisfactory.

    Remnants are only detected by Premium scans - i.e. "Scan Computer". They are registry keys and files associated with PUAs. They will not be detected with other scan types, as you have pointed out on your message.
    They are reported to the dashboard, and in your Sophos Home antivirus program. But they can only be deleted on the AV program at the end of the scan where they have been detected (or manually by accessing those locations on the computer).

    At this time, remnants cannot be excluded, so exclusions will not make a difference. As covered in our articles, we do not recommend adding those anyway, but if a customer chooses to do so, they can, at their own discretion (the best way to go about it is reaching out to Sophos Labs instead). 

    Having said that, if you do not wish to delete said remnants as you believe they belong to a legitimate program, you can still run your scans normally and delete any other things that may show up.

    I have seen the report from Labs stating the file is clean, and I checked the app against virustotal, which also shows it as clean. I will work on getting more information regarding these remnants and get back to you. 

    Thank you for your understanding, and again, sorry about any inconveniences.

    Please, let me know if you would like me to contact you directly via our ticketing system, so we can continue working there.  

  • In reply to Barb@Sophos:

    Hi Barb,

    Thanks for your response. On your advice I have removed the Folder and local executable exceptions/exclusions for CleanMyPC.

    The number of scans which were performed in the troubleshooting between Jan and March did indeed have a cluttering effect, which will now diminish to the occasional local scan for cookies etc.

    Thanks also for your continued work on this issue. Unless you require further SDUs I would like to leave the ticketing for now.

    I did not receive an email upon your reply in this forum or I would have replied sooner. I see a box with notify me ticked below.  I will check daily.

  • In reply to Aic:

    Hi Aliss,

    The remnants for CleanMyPC should no longer appear.
    Could you please perform another scan ("Scan Computer")  to confirm? 

    Thank you!

    PS: To receive an email when somebody replies to your posts, you need to do 2 things: 

    1 - Click "Notify me when someone replies to this post" 
    2 - Click on your username at the top right of the screen --> Settings and make sure "Enable email contact" is checked. 

  • In reply to Barb@Sophos:

    Hello Barb,

    Scan completed, and no remnants. Thank you!

    Interested to know; Has Sophos addressed all remnant behaviour in scanning engine or just specifically CleanMyPC?

    Not seeing CleanMyPC in the labs.

     

    PS: not receiving emails although:

    1 -  Clicked "Notify me when someone replies to this post"

    2 - "Enable email contact" has been checked since joining the community

     

     

     

     

     

  • In reply to Aic:

    Hi Aliss,

    The changes were performed for CleanMyPC.

    Emails should come from "Sophos Community - Automated Email" - via a noreply email address, so make sure you don't have any filters for those, or that they are being sent to your Junk Mail. 


    Please, let us know if there's anything else we can assist you with. 

    Thank you!

  • In reply to Barb@Sophos:

    Hello Barb,

    Perhaps you can direct me to assistance regarding the failure of email notifications for my account.

  • In reply to Aic:

    Hi Aliss,

    I've sent you a private message so that we can continue troubleshooting via there.

     

    Thanks!

  • In reply to Barb@Sophos:

    Hi Barb,

    Thanks for taking the time to get my Community Notificatiions Working.

    Not to mention clearing out those pesky remnants.

    A marvellous introduction to the Sophos Community