Remote quarantine cleanup?

A number of our devices have the status "Malware or potentially unwanted applications in quarantine".  Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?

  • In reply to 486dx50:

    Hi  

    Sophos AV never alters the permission on the machines because it can be a violation of the permissions setup by user on the machines for the security reasons. It automatically cleans up files where it has appropriate permission to do that and will not be able to clean up the files if the permissions are not in place.

  • In reply to Jasmin:

    Jasmin
    Hi  

    Sophos AV never alters the permission on the machines because it can be a violation of the permissions setup by user on the machines for the security reasons. It automatically cleans up files where it has appropriate permission to do that and will not be able to clean up the files if the permissions are not in place.

    Sophos Endpoint Protection had permissions to file location - that wasn't a problem. It only had to clear the ReadOnly attribute on the infected file to be able to clean the threat. That way I wouldn't get notifications for days that Endpoint Protection couldn't clean the threat. What's more important - to clean the threat or to not touch infected file's attributes?

  • In reply to 486dx50:

    Hi  

    When any file has read-only checked, it means no one can modify/delete the file and also can't change the permission other than admins.

    Becuase files were read-only Sophos was unable to clean the file from there.

    I'd suggest you open a new thread as the original thread was for a different issue which can confuse other community members who are willing to answer on your post.

  • In reply to Jasmin:

    Jasmin
    Hi  

    When any file has read-only checked, it means no one can modify/delete the file and also can't change the permission other than admins.

    Becuase files were read-only Sophos was unable to clean the file from there.

    I'd suggest you open a new thread as the original thread was for a different issue which can confuse other community members who are willing to answer on your post.

    That's not true. Users without Administrator role can set and clear file attributes. You are confused between attributes and permissions, which are different properties of the file system objects. I appreciate your suggestion.

  • In reply to 486dx50:

    Hi  

    Sorry for the confusion.

    You're right, I took it as permissions. However, Sophos also never changes the attribute of the file.

    Did you get the notification like Manual clean up required or something like that? If that is the case Sophos had limited access to that or that file.

    I'd request you to submit that file again to the Sophos sample submission portal stating that it was not cleaned up automatically, so labs will check and will correct it if anything is required from Sophos end.

  • In reply to Jasmin:

    Jasmin
    Hi  

    Sorry for the confusion.

    You're right, I took it as permissions. However, Sophos also never changes the attribute of the file.

    Did you get the notification like Manual clean up required or something like that? If that is the case Sophos had limited access to that or that file.

    I'd request you to submit that file again to the Sophos sample submission  stating that it was not cleaned up automatically, so labs will check and will correct it if anything is required from Sophos end.

    The file was a Microsoft Outlook document (.msg). I was getting multiple messages that the threat can't be cleaned as Sophos unsuccessfully tried to remove the file from the file system, I don't quite remember about being offered to clean them manually, next time I'll remember to look. I was wondering why Sophos can't clean it, and when I opened file properties to check permissions to make sure the system  and my account have access to the file, I saw the RO attribute was set, so I cleared it, and then Sophos was able to remove the file. If Sophos detects a threat, I think it shouldn't wait for a user permission to change the attributes in order to remove a malicious file, because many users don't know much about computers and how everything works. And by automating this process Sophos would also lower unnecessary tech support calls.

  • In reply to 486dx50:

    Hi  

    When there is a scenario where Sophos can't clean up the file automatically, it generally prompts to remove the file manually because of permissions or attributes assigned to that file or sometimes detection which is created for that file may not have clean up command to remove it from the location.

    Manual clean up is required in such a scenario as Sophos never alters the file attributes, permissions on the machine.