How can I recover false positive Threads?

Hi,

Sophos Home is great. But how do I recover false positive threads?

The Endpoit protection deleted some files which are not viruses. How can I recover them?

A Quarantine feature is needed!!!

Kind Regards,

  • Hello Julian,

    Unfortunately, there is no way to recover deleted files which were detected as malicious.

    I'll forward your quarantine request to the dev team.

    Regards,

  • In reply to AimanAnsari:

    Any Update on this?
    I have the Endpoint Protection installed but disabled, because it still might remove items which I can't recover... 

     

  • In reply to AimanAnsari:

    +1,000,000

    A proper quarantine and recovery procedure is absolutely needed for Sophos products including Sophos home. I likewise am having to disable Sophos home because of a false positve issue :(

    There also need to be a simple and effective procedure for submission of samples. For any threat report, the file should be quarantined, and there should be right click option to automatically submit the exact sample (ie the exact file as it existed at the point of detection) along with a tick box reason for why the file is being submitted (especially for suspected false positives) 

    In the meantime, could you please provide a knowledge base article for how to obtain and submit samples of detected files for Sophos home? Current knowledge base articles seem to be for other products, suggesting mechanisms for getting the scanner to automatically rename and move the file. This does not seem to be an option for Sophos Home? Even if it is possible, expecting end users to temporarily add on-access exceptions, recreate/locate the offending file (practically impossible if the false positive was on a temporary file during software installation...), manually submit samples, then restore on-access defaults is simply not acceptable for a home user product.

    I totally understand that Sophos home is a free product, and sample submissions wont be treated with the same priority as for paying customers, but there still needs to be a submission procedure for false positives, otherwise more people will stop using Sophos home. That would be a shame, because apart from the problem of how do deal with a false positive it is a great product!

  • In reply to AimanAnsari:

    I agree that a "quarantine" feature is needed in Sophos Home.  I've been testing it out for the past month and this is one of the first things I noticed when I did the initial scan.  I let it clean the identified files and was surprised they were deleted as opposed to being quarantined.

    The laptop for the past 5 years have both Webroot and Malwarebytes Pro running realtime so I know the system is clean.  The Sophos identified files are an old version of system info utility, an Acer related software that came with the laptop, and a file in a java cache.  Since I did not particularly care for the identified files, I let Sophos Home clean it as I wanted to find out what it will do.

    Seeing that there is no quarantine feature in the Home version, I'm afraid what would happen in a false positive situation with files I really care about.  I've already setup exceptions for alot of tech utilities I use that's being identified as PUA. 

    So please consider reconsider a "quarantine" feature that I believe is on the business versions and even on prior iterations of Home, I think...

    Thanks in advance,

    Patrick

  • Sophos, are you still reading this thread? We are still awaiting an update from you on this.

    Is adding a proper quarantine procedure on the road map for Sophos home?

    Meanwhile, is there any *easy* way for home users to report false positives to Sophos Labs and get them fixed? I still cant find a knowledge base article that works for Sophos home.

  • In reply to Robert Poston:

    HI Robert ,

    Apologies for delay , I shall forward this request to our development team . 

  • In reply to Pat B.:

    Ok today's news is the REASON for considering a "quarantine" feature: An antivirus software (not Sophos) false positive on Windows' system files rendering the computer unstable/unusable.  Luckily, restoring the system files from quarantine was part of the solution.  With non-system files that were autodeleted, users/IT admins had to re-install software or retrieve from backups.

    https://www.theregister.co.uk/2017/04/25/webroot_windows_wipeout/

    I just found out about this and now I have to check my Webroot dashboard to see if 6 computers of family members in another state has been affected.

    It also comes into play if/when Sophos Home version includes features from the HitmanPro where malware are identified via heuristics rather than signature, just in case the heuristics misidentified something.

    Patrick