A number of our devices have the status "Malware or potentially unwanted applications in quarantine". Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?
This thread was automatically locked due to age.
Removing the event database as suggested in here worked for me.
Turn off tamper protection, get an administrator prompt and execute:
net stop "Sophos Health Service"
ren "%ProgramData%\Sophos\Health\Event Store\Database\events.db" events.db.old
net start "Sophos Health Service"
Sorry but this does not help, imagine that I have 2000 pcs and I have to do this with each one. Why Sophos's decision to take out the quarantine?
regards
Mariano
Hello Sophos!!!
Are you sleeping?
What you recommended worked - I agree. But this ISN´T solution for tousands of PC at all.
I think quarantine "cleaning" have to work FROM your console - because your services HAVE all permissions to do IT. Why bother with elevated prompts, powershell, remote access etc. etc.???????
Hello Mariano and Jiri,
Sorry for the late response.
I'd like to confirm a few things so that we can better assist you:
Are you able to manually remove the infected files from your computer (there should be a path listed in the Central Alert)?
If the file no longer exists/has been deleted, could you please try addressing the alerts in Central by acknowledging them, and let me know if the re-appear? (You may need to trigger an update on the endpoint). Renaming the events.db as listed above is a workaround in a situation in which the normal troubleshooting steps do not help clearing up the alerts.
Regarding how does Sophos clean up files, this article provides some additional info:
"By default, when Sophos Anti-Virus encounters malware it will prevent execution and then attempt to automatically clean the threat. There are occasions however where automatic cleanup is unable to take place, for example, the detection identity does not have a cleanup routine, permissions to the file do not permit cleanup, the threat is an archive or some form of container format, etc."
I am trying to gather further information regarding this process and I will get back to you as soon as I receive it.
Barb@Sophos
Community Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Sign up for SMS Alerts
If a post solves your question use the 'This helped me' link.
Hello Mariano and Jiri,
I would like to investigate this from the possibility their might be a bug with the software causing the alert not to be cleared.
As explained already Sophos will automatically attempt to remove the threat, however in some cases this is not possible and manual action is needed.
Can we eliminate all the normal steps first please. On one of the machines that is showing this message in the console, can you do the following (in this order):
1. Login to the machine and double click on the Sophos icon in the task bar, check the status of the machine (Green, amber, red), if you can provide a screenshot of the "Events" tab that would help.
2. In the console navigate to the same device and select the "Status" tab, scroll to the bottom of the page and check if their are any alerts. if there are then acknowledge them.
3. Reboot the endpoint
4. On the endpoint open Sophos again and click the "Scan" button.
When the scan is complete if the status of the machine is green then check the console to see if the message has gone. If the endpoint is still amber or red can you take another screenshot of the "Events" tab and let me see it too.
Once you have done all this, if it is still not fixed it sounds like something isn't working as designed so I would want to collect logs and investigate properly, but lets start with the above first.
Hi PeterM,
Unfortunately i have no "good fo testing" computer now. But I think that it have to repeat some info.
The root of problem is false report : In cloud console the computer reported some items in quarantine AND on the computer "Quarantine directory" is COMPLETELY empty. We tried many times scan - manually, from console etc. We din´t find other method for message/alert cleaning than remove database or uninstlal/install.
On problematic computers we didn´t found ANY problem and removing database ALWAYS help us to solve this false alert.
And Yes, in events on this computer were reported some "malware found" and also "malware cleaned".
Hi PeterM,
I use the information from your support - from Haridoss Sreenivasan - at the start of this discussion.
_______
Hi Jiri/Maurice,
The infected files are moved to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED by default unless the directory is changed. Let me know if this helps resolve your issue.
Haridoss Sreenivasan
Technical Support Engineer | Sophos Technical Support
Knowledge Base | @SophosSupport | Video tutorials
Remember to like a post. If a post (on a question thread) solves your question use the 'This helped me' link
------------------
ah ok, I can see the issue confusion here.
Sorry that information is incorrect. The "Infected" folder is not a quarantine and is not used at all by Sophos Central managed machines, it was originally part of the the onprem product (Enterprise Console), currently the part of the technology that uses that folder is not used in Central, that folder will always be empty.
The message "Malware or potentially unwanted applications in quarantine" just means that something has been detected and was blocked. if the message stays in the console it could indicate that the alert hasn't been acknowledged in the console, or that for some reason the machine still thinks there is a threat on it. First thing is to establish if there is an alert in the console, these are shown on the "status" tab for the device at the bottom of the page. If there isn't then login to the device in question and start Sophos to see if the machine is in a green, amber or red state.
If it is green then something has gone wrong and the console doesn't know the issue is resolved. If it is in a amber or red state then in theory there is probably a manual action that needs to happen on the device, could be as simple as a reboot.
Hi Peter
Thank you for the explanation, but as I remember - no manual action that I tried helped me. I tried reboot, scan - manual and from console and I didn´t find any possibility to clear this message - only clear database.
haven´t seen this problem in last weeks - maybe it is solved now. If I see this problem again I will react immediately following your reccomendation and put our results here.
Thanks, as I mentioned this could be a product issue, I want to understand it so will try some testing at our end. If you see this again, especially if the message is showing in the console and the endpoint is showing as a green status then please log a support case so we can investigate the logs.
Thanks, as I mentioned this could be a product issue, I want to understand it so will try some testing at our end. If you see this again, especially if the message is showing in the console and the endpoint is showing as a green status then please log a support case so we can investigate the logs.
EHLO,
In our case the PUA file was inside the archive and that was listed under EVENTS of that device on Sophos Central.
And that switched computer status from "Healthy" to "Questionable".
Why Sophos doesn't remove PUA from archives?
The problem here is that we need some kind of centralized tool in the Sophos Central, so we don't have to remotely access every problematic machine or, even worse, to be there locally every time a problem arises.