Remote quarantine cleanup?

A number of our devices have the status "Malware or potentially unwanted applications in quarantine".  Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?

  • In reply to Jiri Hadamek:

    Thanks, as I mentioned this could be a product issue, I want to understand it so will try some testing at our end. If you see this again, especially if the message is showing in the console and the endpoint is showing as a green status then please log a support case so we can investigate the logs.

  • In reply to PeterM:

    EHLO,

    In our case the PUA file was inside the archive and that was listed under EVENTS of that device on Sophos Central.

    And that switched computer status from "Healthy" to "Questionable".

    Why Sophos doesn't remove PUA from archives?

    The problem here is that we need some kind of centralized tool in the Sophos Central, so we don't have to remotely access every problematic machine or, even worse, to be there locally every time a problem arises.

  • I know this is an older thread, but FYI, I wanted to let everyone know I wrote a PowerShell function to allow your help desk to perform the health service reset without annoying the user.  You'll need to login to Sophos Central to get the Tamper Protection Password.  Then, import the Powershell Module and run:

    "Reset-SophosHealthService -ComputerName <target> -TamperProtectionPassword <password>"

    It will then jump through the hoops - turn off tp, stop the service, rename the db, start the service, and turn on tp.  Of course you need local admin on the target computer.

    You can find the module on my public git repo: Sophos.psm1

    Hopefully that helps someone.  My goal was to make it easier for the help desk to handle these issues so that I didn't have to.

  • In reply to Steve Custer:

    Just for ease of use:

     

    This seems to be the current URL to the PowerShell-Script:

    https://github.com/ir0nh3at/Scripts/blob/master/Sophos%20Stuff/Sophos.psm1

     

    From a fast check this script looks good, but who am I to trust. Always check the scripts you are trying to run before doing so!

  • In reply to ErikRange@SD:

    Can someone please help me with this script, it keeps erroring out.

     

    Thanks

  • In reply to jacqueline Feliciano:

    Removing the event database as suggested in here worked for me.

    Turn off tamper protection, get an administrator prompt and execute:

    net stop "Sophos Health Service"
    ren "%ProgramData%\Sophos\Health\Event Store\Database\events.db" events.db.old
    net start "Sophos Health Service"

  • In reply to Jiri Hadamek:

    First you have to disable tamper protection of that endpoint. then simply click on the red color or amber color sophos helth status then it will direct you to Malware or potentially unwanted applications in quarantine with resolve button enabled.then click on the resolve button. Just IT :)

  • In reply to Jeewan Wajiranga:

    Hi Jeewan. I don´t want to be rude, but I think you have better read all discussion about this problem.

    The problem isn´t in  "How to remove database locally with tamper protection  disabled" on a "problematic" computer.

    The problem lies in the fact, that it "cannot be solved" from cloud console and that it needs local access of administrator.

     

    You simply restate known solution and (sorry for that)  I cannot see any value for this.

     

  • In reply to Jiri Hadamek:

    If Sophos is not able to automatically cleanup the files, I have seen that this has helped twice or so:

    Consider running Microsoft Autoruns to see if there are any unusual programs that are running automatically, and is triggering the detection.

    Sometimes it's a scheduled task that is running a script that seems unusual but may be causing behavior that is malicious and is triggering a detection. 

    For more information on MS Autoruns I recommend you read the official article here: https://technet.microsoft.com/en-gb/sysinternals/bb963902.aspx.

     

    Once you have located the process that is running some script that seems unusual, you can send the script sample or so that is being run to Sophos Labs for further review, and remove this from your machine. Once done, do another system scan to see if something is still being detected.

     

    There is no remote quarantine cleanup, and I understand that it is frustrating that this may need to be done on individual machines, but you can start with this to investigate what it is exactly that is causing the detection, and possibly where it is in an individual machine.

     

    Thanks,

  • Is there an official method for this?

    The thread has multiple suggestions, some of which don't seem to apply anymore, and a community proposal, but this should have an official, Sophos supported solution that is in the KB and not spread out among the discussion groups.

    It is a common request, Sophos should have an official answer with steps and/or tool to accomplish this task.
    Michael

  • In reply to Michael McGee:

    Bump for SEVENTY THREE THOUSAND VIEWS..
    Make this an official/supported TID with ACCURATE instructions already Sophos!

    Michael

  • In reply to Michael McGee:

    Hi  

    Please follow the below steps when you have bad status even after the file which was detected as malware has been cleaned up, you need to follow the below steps:

    1. On the affected machine, open the Sophos Endpoint and check the status of the machine (green, amber or red).
    2. In the Sophos Central Admin, navigate to the same device. Go to the Status tab and scroll to the bottom of the page. Check for any alerts. If there is, acknowledge the alert.
    3. Reboot the endpoint.
    4. Perform a scan using the Sophos Endpoint installed on the computer.
    5. When the scan is complete, check if the status on the Sophos Endpoint is green. Also, check if the alert on the Sophos Central dashboard has been cleared.

    If there is no alert on the Status tab, Please follow the below steps on the client machine.

    • Disable the Tamper Protection (if enabled).
    • Go to services.msc and stop the Sophos Health Service.
    • Browse to the following folder: C:\ProgramData\Sophos\Health\Event Store\Database.
    • Rename events.db to events.orig.
    • Restart the Sophos Health Service.
    • Open the Task Manager and end the Sophos UI.exe process.
    • Launch a new Sophos UI.exe process from C:\Program Files\Sophos\Sophos UI.exe

    NEXT - Run a full system scan of the affected machine. If the alert returns there is something more here that needs to be investigated. 

    Sometimes, the endpoint will not have green status even after cleanup of the malware on the machine and it will mention that there is malware cleanup required or malware in quarantine on the status tab. 

  • In reply to Jasmin:

    This faulty status problem is becoming more frequent over time, especially when Sophos triggers a cleanup and the program is subsequently authorized at a later date. It seems that authorization within minutes of cleanup works as expected but when the authorization is left for days/weeks/months after the cleanup then the bad status remains.

    Personally I've not seen a scan or reboot fix the bad status - only a full uninstall/re-install or the database reset mentioned above.

    Performing the above steps on one PC is time consuming enough, let alone tens/hundreds/thousands of PCs. Maybe Sophos should consider a bulk reset option in the Central Console to trigger the Health Service Database cleanse on the endpoint(s)?

  • In reply to ChrisKnight:

    Hi  

    There can be several reasons when the endpoint is reporting bad health status on the central dashboard. We need to check on the logs, to check why it is showing red health status. The above steps mentioned can only be performed by Support engineer after checking if there are no malicious files present or there are no other issues with Endpoint as it would reset all the event databases. You may raise a feature request here for the bulk reset option from the central console and do post your valuable suggestion for our product management team to have a look and consider its feasibility. 

  • In reply to ChrisKnight:

    I would like to add that Endpoint Protection couldn't clean the threat from a temporary Outlook folder (%LocalAppData%\Microsoft\Windows\INetCache\Content.Outlook) until I cleared the "ReadOnly" attribute on the file - something that Sophos Services must do automatically.