Where is Quarantine in Sophos Central

Hello Keiron, 

This has been renamed, the infected files will be moved to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED by default unless the directory is changed..  But if the file is cleaned that would mean that the files is blocked or removed from the system and thus not there. 

Kind regards

Tom 

Hello Keiron, 

This has been renamed, the infected files will be moved to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED by default unless the directory is changed..  But if the file is cleaned that would mean that the files is blocked or removed from the system and thus not there. 

Kind regards

Tom 

So if I understand, there is no more a quarantine manager, yes or no?

I still have computers with this message, but nothing in C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED.

why sophos tell us that are thing in quarantine, if there is no quarantine at all?

what to do in this case? reinstall sophos on all machines? 

Hello Paulo Afonso,

I'm neither a Central nor a Home user, for both their local UI has undergone significant changes (my vicious side says it has become got a tap/swipe/wipe look), hiding details from the local user/admin in favour of a more comprehensive view. The Quarantine Manager is a victim of this change.

I disagree with Tom Hope regarding the role of the \INFECTED folder and the meaning of Quarantine.  \INFECTED has bee there from the beginning, before central (not Central) management. Likewise Quarantine predates management, its concept differs from Quarantine in other vendor's AV products though.
Cleanup/Delete is always performed "in place", i.e. access to a file is blocked when a threat is detected but it is generally not moved. You can tell the AV engine to either just block a threat or to attempt Remediation (as it is called with Central, formerly it was Automatic cleanup). With the on-premise SESC it's still possible to specify an alternate action (note: it seems this is no longer available with Central)  in case Cleanup fails or isn't enabled, you can choose just block, delete, or move. The latter is where \INFECTED comes into play.
Enter Quarantine and Quarantine Manager. In Sophos' terms Quarantine is a list of threats that haven't properly been dealt with. Not properly is: only block was specified and performed as "final" action, cleanup/delete failed, move failed, for certain threat types (or sometimes threats) no action will be performed by the scanner - all these end up in Quarantine, but note: The files are not moved from their original location. The Quarantine Manager is a local interface to this list but apparently it has been removed. Some actions it permitted can also be performed by a central management console.

With all these changes a certain class of threats is "stranded" - threats that require local "manual" action. Reinstall Sophos is not the answer though - all this would achieve is that the information about the threat disappears. The location of the threat has to be taken from the alert or from the computer's AV log (%ProgramData%\Sophos\Sophos Anti-Virus\logs\SAV.txt), further action depends on the threat.
Instead of more (possibly boring) details a practical example: A user downloads some software considered as PUA. You get an alert telling you that manual action is required. The downloaded item hasn't even be executed, nothing is installed or has been run, the computer isn't compromised. You can now ignore the alert - unless the user tries to open/run the file, opens the containing folder, or some process (e.g. backup) tries to access the file you won't even get another alert. Or you can check the logs for the location and delete the file-

There is obviously some work to do for Sophos, it's not as easy though as this might seem.

Christian   

Thank you for your input here Christian however there are further options to consider here to help resolve the issue. (have a read of the EAP program for Central below it's very interesting stuff)

Paul,

Have you any details on the detection at all? 

I would now suggest you run Sophos Clean on the Machine: https://www.sophos.com/en-us/products/sophos-clean.aspx.  

If this is a reoccurring issue I would then suggest joining the EAP program: https://community.sophos.com/products/intercept/early-access-preview/. Have a read and see what you think [:)]

Happy Holidays and please keep me updated on what you find. 

Kind Regards

Tom Hope

Hello Tom Hope et al.,

further options
I'm aware of this newfangled (permit me antediluvian this snide expression) stuff, it looks like ML will improve detection and response but I don't see how it will improve handling of items that can not (for whatever reason) automatically be removed. And while Sophos Clean is "more aggressive" it would have to be restricted to the specific item in question.
Central and Home (already) restrict local intervention, probably to save users and admins from making honest mistakes. Likewise central admins aren't infallible. Shh/Updater-B wouldn't have been much of a problem at all. The question is, what extent of "customer intervention" is is necessary and reasonable (Live Protection has already taken away some tasks under certain circumstances) but it's work in progress (SafeStore that made its first appearance in the SVRT and never really took off is regaining its momentum) and at the moment causing some confusion.

Christian 

Are there changes in Central Quarantine after more then a year? 

Regards

Hello KingRolo,

if you see none there are none - at least that's what I assume.
The likely rationale is: Central is very, err, centralist. Enhanced Tamper Protection is on by default, a local admin's options (using the GUI) are very limited. Consequently ther's no QM. What's your use case, BTW?

Christian