This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote quarantine cleanup?

A number of our devices have the status "Malware or potentially unwanted applications in quarantine".  Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?



This thread was automatically locked due to age.
Parents
  • Hi 

    Manual cleanup is commonly required for one of two reasons:

    • The file/item was detected in a location that is no longer accessible (like a USB pen drive that has been unplugged).
    • Or there a file/item Sophos Anti-Virus cannot delete and you must delete it.

    The item detected may actually be a program that can be uninstalled so check this first.

    1. Note the name of the item as shown in the Quarantine Manager.  
    2. Open Add/Remove Programs from Control Panel.
    3. Scroll down the alphabetical list of installed programs and see if the name is mentioned.  
    4. Uninstall the program using its removal program.  There maybe more than one item listed.
    5. Once the uninstaller has completed, move back to the Quarantine Manager where the item will still be shown.
    6. Click the 'more' option in the 'Details' column to display a list of detected components.
    7. Right-click the first item listed (there may be one or more items) and select 'Open location'. Windows Explorer will take you to the folder containing the item.  

    Delete the item from the folder by clicking on it once with the left mouse button and then pressing shift + delete on the keyboard - this by-passes the Recycle Bin. Click 'Yes' to confirm the deletion. 

    Note:
     You can delete multiple items in the same folder at the same time by dragging the mouse cursor over them and pressing Shift + Delete.  You don't have to delete item like this - it's just recommended, but if you delete items in the normal way ensure you empty the Recycle Bin afterwards.

    If the item no longer exists you will see an error message saying Error displaying this folder's content - this means the location no longer exists and you can try to open the location of the second item and check if that exists.
     
    Note:
     If the component detected ends with FILE:0000 or similar then the component was detected as it was attempting to run and will not exist on disk - you can therefore ignore all detected components that end like this.

     Repeat step 7 for any additional items.

    Once you have manually deleted the files from your computer, clear the item from the Quarantine Manager.

    We recommend that you now run a full scan to confirm your computer is free of malware.

    Haridoss S

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Can you please provide details on how to access the quarantine manager? I have several workstations in the Sophos Central that tells me to to review the quarantine, but I can't seem to find it.

Reply Children
  • Hi Jiri/Maurice,

    The infected files are moved to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED by default unless the directory is changed. Let me know if this helps resolve your issue.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • This directory is empty, but Sophos Antivirus reported / " Malware or potentially unwanted applications in quarantine"

     

    I cannot manage to get rid of this report.

  • Can you please provide details on how to access the quarantine manager? I have several workstations in the Sophos Central that tells me to to review the quarantine, but I can't seem to find it.

    Can you reccomend any solution?

    I have to CLEARLY state: "The quarantine directory is EMPTY and "the problematic" file DOESN´T exist."

     

  • The long and short of this is that there isn't a quarantine manager anymore. You have to navigate to the location indicated above which is always empty, and you have to stop a bunch of services to get into that folder directory.

     

    We switched to another provider as our licenses expire in January. It was worth it for me to move on now. I got sick and tired of these messages and several workstations showing out of compliance...constantly and now way to clear them. 

  • Haridoss Sreenivasan said:

    Hi Jiri/Maurice,

    The infected files are moved to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED by default unless the directory is changed. Let me know if this helps resolve your issue.

     

    WRONG.

    Please advise again.,..how do we purge these messages about "malware or potentially unwanted applications"

    There is NOTHING on the windows PC that help either. INFECTED folder is empty....repeat...empty. Meaning ...there is NOTHING IN THERE TO REMOVE!!

    But the message persists in the Dashboard and I am getting extremely angry with this software.

     

    Please explain......step by step if you have to. I am waiting.

     

     

     

  • I have to agree with Howiedog.

     

    THE FOLDER ON PC IS EMPTY!!!! How we can remove this false message from Dashboard????????????

    I am angry too!!!!!!!!!

  • Problem: Windows PC continues to report "malware or potential unwanted apps...." and this error NEVER goes away.

    I un-installed Sophos agent yesterday on my windows PC and from Sophos Central.

    24 hours later, re-installed today. The error, I am happy to report is gone. Ok..so far...one problem fixed...the hard way. This is NOT a solution. We cannot be expected to have to reinstall these agents to clean up these errors, thats ridiculous.

    Another thing, every time.....I mean, every time I install an agent, I get an email saying one or more services are not running.

    9:11 the error is reported and emailed

    I take zero action against this email alert and @

    9:42 all services are running

    OMG......How can I delay this email being sent because it is a FALSE email and provides nothing but aggravation and is becoming very tiring.

     

    What I am not happy about. Sophos needs to supply a "Complete and Thorough" Un-install tool.

    When I reinstalled Sophos this am, it remembered the PC and even that Tamper Protect was off. 

    When I uninstall this Sophos Agent, I had hoped and half expect it to uninstall in its entirety.

    I guess the only way to uninstall is to manually go through every frigging setting/folder, go through the registry...and remove any and all traces.

     

    This is not an A/V program, is an exercise in frustration.

     

     

     

     

     

  • This folder have nothing. it's empty. Can you please answer the question that all people do?

    WHERE IS QUARANTINE MANAGER?

  • First you have to disable tamper protection of that endpoint. then simply click on the red color or amber color sophos helth status then it will direct you to Malware or potentially unwanted applications in quarantine with resolve button enabled.then click on the resolve button. Just IT :)

  • Hi Jeewan. I don´t want to be rude, but I think you have better read all discussion about this problem.

    The problem isn´t in  "How to remove database locally with tamper protection  disabled" on a "problematic" computer.

    The problem lies in the fact, that it "cannot be solved" from cloud console and that it needs local access of administrator.

     

    You simply restate known solution and (sorry for that)  I cannot see any value for this.