The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.


"Wanna" ransomware outbreak. Please see this Sophos article for advice on how to protect your organization. Immediate action recommended.

Remote quarantine cleanup?

A number of our devices have the status "Malware or potentially unwanted applications in quarantine".  Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?

  • Hi 

    Manual cleanup is commonly required for one of two reasons:

    • The file/item was detected in a location that is no longer accessible (like a USB pen drive that has been unplugged).
    • Or there a file/item Sophos Anti-Virus cannot delete and you must delete it.

    The item detected may actually be a program that can be uninstalled so check this first.

    1. Note the name of the item as shown in the Quarantine Manager.  
    2. Open Add/Remove Programs from Control Panel.
    3. Scroll down the alphabetical list of installed programs and see if the name is mentioned.  
    4. Uninstall the program using its removal program.  There maybe more than one item listed.
    5. Once the uninstaller has completed, move back to the Quarantine Manager where the item will still be shown.
    6. Click the 'more' option in the 'Details' column to display a list of detected components.
    7. Right-click the first item listed (there may be one or more items) and select 'Open location'. Windows Explorer will take you to the folder containing the item.  

    Delete the item from the folder by clicking on it once with the left mouse button and then pressing shift + delete on the keyboard - this by-passes the Recycle Bin. Click 'Yes' to confirm the deletion. 

    Note:
     You can delete multiple items in the same folder at the same time by dragging the mouse cursor over them and pressing Shift + Delete.  You don't have to delete item like this - it's just recommended, but if you delete items in the normal way ensure you empty the Recycle Bin afterwards.

    If the item no longer exists you will see an error message saying Error displaying this folder's content - this means the location no longer exists and you can try to open the location of the second item and check if that exists.
     
    Note:
     If the component detected ends with FILE:0000 or similar then the component was detected as it was attempting to run and will not exist on disk - you can therefore ignore all detected components that end like this.

     Repeat step 7 for any additional items.

    Once you have manually deleted the files from your computer, clear the item from the Quarantine Manager.

    We recommend that you now run a full scan to confirm your computer is free of malware.

    Haridoss S