How to undo "cleanup" that automatically deleted a bunch of stuff I need without ever asking me?

I just ran Sophos for the first time on the advice of a web IT writer that I formerly trusted for advice. 

Aside from for some reason communicating a bunch of private information about my local machine and software to Sophos's servers, it decided on its own that a bunch of my apps were "unwanted", and "cleaned" (deleted) them without ever asking me... my Monero wallet, some stuff I use for legitimate pentesting solely on my own servers, etc. 

It did give me one popup for one of the apps, which I specifically did NOT tell it to "clean" because I need it. Now it's gone. The app is there but when I open the package the binary and all files are gone now, it's just an empty package now. 

How do I undo this broken "cleanup" before I delete Sophos from my Mac forever? I looked in the trash but the missing stuff isn't there. How do I tell it to put all the things I need back where they are supposed to be?

  • Hello Moe,

    The automatic clean up does exactly what it says on the tin and removes anything as denoted by the settings you left as default or configured.

    As far as I am aware, you cannot undo a cleanup unless it was a PUA in which case you can authorise it from the cloud consoles.

    Everything you have described is standard operation of an endpoint security product as is that of a cloud based product from the EULA.

    To summarise, Central does not know what you want, you have to configure it to act how you want it to act. Your monero wallet and "legitimate" pentest tools could be classed as spyware/trojan and hacking tools respectively to a lay-antivirus.

    It's unfortunate you have lost those but in future i would recommend running through all the settings before deployment to avoid unintended actions or circumstances.

    If you are a commercial customer with a Support contract, you may be able to contact support for some other alternatives.


  • Hey Moe!

    It depends on the types of file but, in general, you can follow this process to restore your files from within the Central Admin itself.

    We don't have a traditional "quarantine" per se but we have a technology we call the SafeStore. Your files should still reside in the SafeStore database and, if the above process doesn't let you release the files you're looking for, reach out to Sophos Technical Support and raise a ticket. They have a process to access the store directly and restore files (commonly used, on request, to gather malware samples for SophosLabs investigations).

    Hope this helps!