This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote quarantine cleanup?

A number of our devices have the status "Malware or potentially unwanted applications in quarantine".  Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?



This thread was automatically locked due to age.
Parents
  • Hi 

    Manual cleanup is commonly required for one of two reasons:

    • The file/item was detected in a location that is no longer accessible (like a USB pen drive that has been unplugged).
    • Or there a file/item Sophos Anti-Virus cannot delete and you must delete it.

    The item detected may actually be a program that can be uninstalled so check this first.

    1. Note the name of the item as shown in the Quarantine Manager.  
    2. Open Add/Remove Programs from Control Panel.
    3. Scroll down the alphabetical list of installed programs and see if the name is mentioned.  
    4. Uninstall the program using its removal program.  There maybe more than one item listed.
    5. Once the uninstaller has completed, move back to the Quarantine Manager where the item will still be shown.
    6. Click the 'more' option in the 'Details' column to display a list of detected components.
    7. Right-click the first item listed (there may be one or more items) and select 'Open location'. Windows Explorer will take you to the folder containing the item.  

    Delete the item from the folder by clicking on it once with the left mouse button and then pressing shift + delete on the keyboard - this by-passes the Recycle Bin. Click 'Yes' to confirm the deletion. 

    Note:
     You can delete multiple items in the same folder at the same time by dragging the mouse cursor over them and pressing Shift + Delete.  You don't have to delete item like this - it's just recommended, but if you delete items in the normal way ensure you empty the Recycle Bin afterwards.

    If the item no longer exists you will see an error message saying Error displaying this folder's content - this means the location no longer exists and you can try to open the location of the second item and check if that exists.
     
    Note:
     If the component detected ends with FILE:0000 or similar then the component was detected as it was attempting to run and will not exist on disk - you can therefore ignore all detected components that end like this.

     Repeat step 7 for any additional items.

    Once you have manually deleted the files from your computer, clear the item from the Quarantine Manager.

    We recommend that you now run a full scan to confirm your computer is free of malware.

    Haridoss S

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Can you please provide details on how to access the quarantine manager? I have several workstations in the Sophos Central that tells me to to review the quarantine, but I can't seem to find it.

  • Hi Jiri/Maurice,

    The infected files are moved to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED by default unless the directory is changed. Let me know if this helps resolve your issue.

    Haridoss Sreenivasan
    Technical Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • This directory is empty, but Sophos Antivirus reported / " Malware or potentially unwanted applications in quarantine"

     

    I cannot manage to get rid of this report.

Reply Children
  • First you have to disable tamper protection of that endpoint. then simply click on the red color or amber color sophos helth status then it will direct you to Malware or potentially unwanted applications in quarantine with resolve button enabled.then click on the resolve button. Just IT :)

  • Hi Jeewan. I don´t want to be rude, but I think you have better read all discussion about this problem.

    The problem isn´t in  "How to remove database locally with tamper protection  disabled" on a "problematic" computer.

    The problem lies in the fact, that it "cannot be solved" from cloud console and that it needs local access of administrator.

     

    You simply restate known solution and (sorry for that)  I cannot see any value for this.

     

  • If Sophos is not able to automatically cleanup the files, I have seen that this has helped twice or so:

    Consider running Microsoft Autoruns to see if there are any unusual programs that are running automatically, and is triggering the detection.

    Sometimes it's a scheduled task that is running a script that seems unusual but may be causing behavior that is malicious and is triggering a detection. 

    For more information on MS Autoruns I recommend you read the official article here: https://technet.microsoft.com/en-gb/sysinternals/bb963902.aspx.

     

    Once you have located the process that is running some script that seems unusual, you can send the script sample or so that is being run to Sophos Labs for further review, and remove this from your machine. Once done, do another system scan to see if something is still being detected.

     

    There is no remote quarantine cleanup, and I understand that it is frustrating that this may need to be done on individual machines, but you can start with this to investigate what it is exactly that is causing the detection, and possibly where it is in an individual machine.

     

    Thanks,