A number of our devices have the status "Malware or potentially unwanted applications in quarantine". Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?
This thread was automatically locked due to age.
I know this is an older thread, but FYI, I wanted to let everyone know I wrote a PowerShell function to allow your help desk to perform the health service reset without annoying the user. You'll need to login to Sophos Central to get the Tamper Protection Password. Then, import the Powershell Module and run:
"Reset-SophosHealthService -ComputerName <target> -TamperProtectionPassword <password>"
It will then jump through the hoops - turn off tp, stop the service, rename the db, start the service, and turn on tp. Of course you need local admin on the target computer.
You can find the module on my public git repo: Sophos.psm1
Hopefully that helps someone. My goal was to make it easier for the help desk to handle these issues so that I didn't have to.
Just for ease of use:
This seems to be the current URL to the PowerShell-Script:
https://github.com/ir0nh3at/Scripts/blob/master/Sophos%20Stuff/Sophos.psm1
From a fast check this script looks good, but who am I to trust. Always check the scripts you are trying to run before doing so!
Just for ease of use:
This seems to be the current URL to the PowerShell-Script:
https://github.com/ir0nh3at/Scripts/blob/master/Sophos%20Stuff/Sophos.psm1
From a fast check this script looks good, but who am I to trust. Always check the scripts you are trying to run before doing so!
Can someone please help me with this script, it keeps erroring out.
Thanks
Removing the event database as suggested in here worked for me.
Turn off tamper protection, get an administrator prompt and execute:
net stop "Sophos Health Service"
ren "%ProgramData%\Sophos\Health\Event Store\Database\events.db" events.db.old
net start "Sophos Health Service"