How can I recover false positive Threads?


Sophos Home is great. But how do I recover false positive threads?

The Endpoit protection deleted some files which are not viruses. How can I recover them?

A Quarantine feature is needed!!!

Kind Regards,

  • Hello Julian,

    Unfortunately, there is no way to recover deleted files which were detected as malicious.

    I'll forward your quarantine request to the dev team.


  • In reply to AimanAnsari:

    Any Update on this?
    I have the Endpoint Protection installed but disabled, because it still might remove items which I can't recover... 


  • In reply to AimanAnsari:


    A proper quarantine and recovery procedure is absolutely needed for Sophos products including Sophos home. I likewise am having to disable Sophos home because of a false positve issue :(

    There also need to be a simple and effective procedure for submission of samples. For any threat report, the file should be quarantined, and there should be right click option to automatically submit the exact sample (ie the exact file as it existed at the point of detection) along with a tick box reason for why the file is being submitted (especially for suspected false positives) 

    In the meantime, could you please provide a knowledge base article for how to obtain and submit samples of detected files for Sophos home? Current knowledge base articles seem to be for other products, suggesting mechanisms for getting the scanner to automatically rename and move the file. This does not seem to be an option for Sophos Home? Even if it is possible, expecting end users to temporarily add on-access exceptions, recreate/locate the offending file (practically impossible if the false positive was on a temporary file during software installation...), manually submit samples, then restore on-access defaults is simply not acceptable for a home user product.

    I totally understand that Sophos home is a free product, and sample submissions wont be treated with the same priority as for paying customers, but there still needs to be a submission procedure for false positives, otherwise more people will stop using Sophos home. That would be a shame, because apart from the problem of how do deal with a false positive it is a great product!

  • In reply to AimanAnsari:

    I agree that a "quarantine" feature is needed in Sophos Home.  I've been testing it out for the past month and this is one of the first things I noticed when I did the initial scan.  I let it clean the identified files and was surprised they were deleted as opposed to being quarantined.

    The laptop for the past 5 years have both Webroot and Malwarebytes Pro running realtime so I know the system is clean.  The Sophos identified files are an old version of system info utility, an Acer related software that came with the laptop, and a file in a java cache.  Since I did not particularly care for the identified files, I let Sophos Home clean it as I wanted to find out what it will do.

    Seeing that there is no quarantine feature in the Home version, I'm afraid what would happen in a false positive situation with files I really care about.  I've already setup exceptions for alot of tech utilities I use that's being identified as PUA. 

    So please consider reconsider a "quarantine" feature that I believe is on the business versions and even on prior iterations of Home, I think...

    Thanks in advance,


  • Sophos, are you still reading this thread? We are still awaiting an update from you on this.

    Is adding a proper quarantine procedure on the road map for Sophos home?

    Meanwhile, is there any *easy* way for home users to report false positives to Sophos Labs and get them fixed? I still cant find a knowledge base article that works for Sophos home.

  • In reply to Robert Poston:

    HI Robert ,

    Apologies for delay , I shall forward this request to our development team . 

  • In reply to Pat B.:

    Ok today's news is the REASON for considering a "quarantine" feature: An antivirus software (not Sophos) false positive on Windows' system files rendering the computer unstable/unusable.  Luckily, restoring the system files from quarantine was part of the solution.  With non-system files that were autodeleted, users/IT admins had to re-install software or retrieve from backups.

    I just found out about this and now I have to check my Webroot dashboard to see if 6 computers of family members in another state has been affected.

    It also comes into play if/when Sophos Home version includes features from the HitmanPro where malware are identified via heuristics rather than signature, just in case the heuristics misidentified something.


  • In reply to Pat B.:

    I have exactly the same issue, Sophos Home killed my system and hours of work are lost. Monday I will check with a lawyer to see if they can be hold responsible.

  • In reply to Pat B.:

    Hello all,

    oh these dolts in the AV companies ... not only are they still unable to avoid false positives after all these years, they also stubbornly refuse to implement a decent quarantine.

    Seriously - widespread (i.e. affecting a large fraction of installations) false positives with major implications are rare.
    Ideally both Sensitivity and Specificity are 100%. If you could achieve it for the former the malware writers would be out of business. For the latter you could maintain a white-list, unfeasible to have all of it on the endpoint. Cloud-lookups (Live Protection) are an alternative, you could verify signatures (but wouldn't it be great if your AV protected you in the unlikely but disastrous case of a compromised signing key?). Back in the times of the Shh/Updater false positive Sophos published the results of the internal investigation, how it all came about (unfortunately it's no longer available). It described that a chain of errors lead to the incidence.

    the REASON for considering a "quarantine" feature
    the what is easy, the how is much harder. Once the system goes belly up (and these are the really serious cases) the software that could do the restore is also gone.

    heuristics rather than signature
    a common misconception that signatures are some fixed entities, and signature-based scanning is less prone to FPs than so-called heuristics. Catchy terms with a blurred technical significance.

    Last but not least, in times of ransomware it should be obvious that you should always have a Plan B. What if the latest ransomware (which evaded your AV) inadvertently and quite unintentionally kills your system?