Remote quarantine cleanup?

A number of our devices have the status "Malware or potentially unwanted applications in quarantine".  Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?

  • In reply to Andy Thompson1:

    I am having the same issue with a few of my clients.   This error shows up in the console but and Im unable to clean it.   

     

    Error: Malware or potentially unwanted applications in quarantine.

     

    What is the solution???

  • Same issue exists for us, 3 of my machines have this same issue. I have deleted the Folders mentioned (even though they contained nothing). I have tried restarting the PC and doing various other tricks to get this Alert to go away, no luck. 

  • In reply to Andy Thompson1:

    +1

     

    sigh

  • Having same issue,  any solution to this yet?  It can't be uninstall and reinstall... what a pain?  Sophos please advise?

  • Removing the event database as suggested in here worked for me.

    Turn off tamper protection, get an administrator prompt and execute:

    net stop "Sophos Health Service"
    ren "%ProgramData%\Sophos\Health\Event Store\Database\events.db" events.db.old
    net start "Sophos Health Service"

     

  • In reply to Arno Zielke:

    To make life even easier lets do it remotely and verified both are actually working.

    1. Disable Tamper protection

    2. Launch elevated command prompt or Powershell and use one of the two below depending.  I know the CMD works, have not tested the PowerShell yet.

     

    CMD
    sc \\MachineName stop "Sophos Health Service"
    ren "\\MachineName\c$\ProgramData\Sophos\Health\Event Store\Database\events.db" events.db.old
    sc \\MachineName start "Sophos Health Service"

    PowerShell

    stop-service -inputobject $(get-service -ComputerName "MachineName" -Name "Sophos Health Service")

    rename-item -path "\\MachineName\c$\ProgramData\Sophos\Health\Event Store\Database\events.db" -newname "events.db.old"

    start-service -inputobject $(get-service -ComputerName "MachineName" -Name "Sophos Health Service")

  • In reply to Arno Zielke:

    Sorry but this does not help, imagine that I have 2000 pcs and I have to do this with each one. Why Sophos's decision to take out the quarantine?

    regards

    Mariano

  • In reply to Mariano Domecq:

    Hello Sophos!!!

    Are you sleeping?

    What you recommended worked - I agree. But this ISN´T solution for tousands of PC at all.

    I think quarantine "cleaning" have to work FROM your console - because your services HAVE all permissions to do IT. Why bother with elevated prompts, powershell, remote access etc. etc.???????

  • In reply to Jiri Hadamek:

    Hello Mariano and Jiri,

    Sorry for the late response.

    I'd like to confirm a few things so that we can better assist you:

    Are you able to manually remove the infected files from your computer (there should be a path listed in the Central Alert)?

    If the file no longer exists/has been deleted, could you please try addressing the alerts in Central by acknowledging them, and let me know if the re-appear? (You may need to trigger an update on the endpoint). Renaming the events.db as listed above is a workaround in a situation in which the normal troubleshooting steps do not help clearing up the alerts.  

    Regarding how does Sophos clean up files, this article provides some additional info:

    "By default, when Sophos Anti-Virus encounters malware it will prevent execution and then attempt to automatically clean the threat.  There are occasions however where automatic cleanup is unable to take place, for example, the detection identity does not have a cleanup routine, permissions to the file do not permit cleanup, the threat is an archive or some form of container format, etc."

    I am trying to gather further information regarding this process and I will get back to you as soon as I receive it.

  • In reply to Barb@Sophos:

    Hello Mariano and Jiri,

    I would like to investigate this from the possibility their might be a bug with the software causing the alert not to be cleared.

    As explained already Sophos will automatically attempt to remove the threat, however in some cases this is not possible and manual action is needed. 

    Can we eliminate all the normal steps first please. On one of the machines that is showing this message in the console, can you do the following (in this order):

    1. Login to the machine and double click on the Sophos icon in the task bar, check the status of the machine (Green, amber, red), if you can provide a screenshot of the "Events" tab that would help.

    2. In the console navigate to the same device and select the "Status" tab, scroll to the bottom of the page and check if their are any alerts. if there are then acknowledge them.

    3. Reboot the endpoint

    4. On the endpoint open Sophos again and click the "Scan" button.

    When the scan is complete if the status of the machine is green then check the console to see if the message has gone. If the endpoint is still amber or red can you take another screenshot of the "Events" tab and let me see it too.

    Once you have done all this, if it is still not fixed it sounds like something isn't working as designed so I would want to collect logs and investigate properly, but lets start with the above first.

  • In reply to PeterM:

    Hi PeterM,

     

    Unfortunately i have no "good fo testing" computer now. But I think that it have to repeat some info.

    The root of problem is false report : In cloud console the computer reported some items in quarantine AND on the computer "Quarantine directory" is COMPLETELY empty. We tried many times scan - manually, from console etc. We din´t find other method for message/alert cleaning than remove database or uninstlal/install.

    On problematic computers we didn´t found ANY problem and removing database ALWAYS help us to solve this false alert.

    And Yes, in events on this computer were reported some "malware found" and also "malware cleaned".

     

  • In reply to Jiri Hadamek:

    Sorry what do you mean by "Quarantine directory" Sophos doesn't use any folders of that name and our quarantine is a database not a directory.

  • In reply to PeterM:

    Hi PeterM,

     

    I use the information from your support - from Haridoss Sreenivasan - at the start of this discussion.

     

    _______

    Hi Jiri/Maurice,

    The infected files are moved to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED by default unless the directory is changed. Let me know if this helps resolve your issue.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link

    ------------------

  • In reply to Jiri Hadamek:

    ah ok, I can see the issue confusion here. 

    Sorry that information is incorrect. The "Infected" folder is not a quarantine and is not used at all by Sophos Central managed machines, it was originally part of the the onprem product (Enterprise Console), currently the part of the technology that uses that folder is not used in Central, that folder will always be empty.

     The message "Malware or potentially unwanted applications in quarantine" just means that something has been detected and was blocked. if the message stays in the console it could indicate that the alert hasn't been acknowledged in the console, or that for some reason the machine still thinks there is a threat on it. First thing is to establish if there is an alert in the console, these are shown on the "status" tab for the device at the bottom of the page. If there isn't then login to the device in question and start Sophos to see if the machine is in a green, amber or red state.

    If it is green then something has gone wrong and the console doesn't know the issue is resolved. If it is in a amber or red state then in theory there is probably a manual action that needs to happen on the device, could be as simple as a reboot.

  • In reply to PeterM:

    Hi Peter

     

    Thank you for the explanation, but as I remember - no manual action that I tried helped me. I tried reboot, scan - manual and from console and I didn´t find any possibility to clear this message - only clear database.

     haven´t seen this problem in last weeks - maybe it is solved now. If I see this problem again I will react immediately following your reccomendation and put our results here.