We'd love to hear about it! Click here to go to the product suggestion community
A number of our devices have the status "Malware or potentially unwanted applications in quarantine". Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?
In reply to Jiri Hadamek:
Thanks, as I mentioned this could be a product issue, I want to understand it so will try some testing at our end. If you see this again, especially if the message is showing in the console and the endpoint is showing as a green status then please log a support case so we can investigate the logs.
In reply to PeterM:
In our case the PUA file was inside the archive and that was listed under EVENTS of that device on Sophos Central.
And that switched computer status from "Healthy" to "Questionable".
Why Sophos doesn't remove PUA from archives?
The problem here is that we need some kind of centralized tool in the Sophos Central, so we don't have to remotely access every problematic machine or, even worse, to be there locally every time a problem arises.
I know this is an older thread, but FYI, I wanted to let everyone know I wrote a PowerShell function to allow your help desk to perform the health service reset without annoying the user. You'll need to login to Sophos Central to get the Tamper Protection Password. Then, import the Powershell Module and run:
"Reset-SophosHealthService -ComputerName <target> -TamperProtectionPassword <password>"
It will then jump through the hoops - turn off tp, stop the service, rename the db, start the service, and turn on tp. Of course you need local admin on the target computer.
You can find the module on my public git repo: Sophos.psm1
Hopefully that helps someone. My goal was to make it easier for the help desk to handle these issues so that I didn't have to.