Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 9 subscribers
  • Views 24532 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to get rid of "Malware or potentially unwanted applications in quarantine" warning?

J&P IT

I got a warning in the dashboard about an access to a PUA. I choose the "ignore" option, the message is gone from the dashboard but the device or user still has the orange warning described as "Malware or potentially unwanted applications in quarantine".  Will the alert go away but itself or I have to live with it forever?

Maybe cleaning the quarantine on the local PC will solve the issue but I would like to know about proper ways to handle situations like this.

Thank you



This thread was automatically locked due to age.
  • 0

    Hi,

    The options with Potentially Unwanted Applications (PUAs) are:
    1. Authorize
    2. Cleanup.
    3. Choose to ignore the alert but that won't really do anything other than hide it from the Console side as an outstanding item to deal with.

    The first thing to determine is if you want it in your organization. Maybe it's a system tool that some users need others don't etc. You may have to do a little bit of research to find out what it is exactly to make this decision. The PUA category of alerts covers software Sophos believes you may be interested in knowing are on your network to allow you to make a decision.

    If you want to allow this software you can make an exclusion for it based on the give SophosLab's name. E.g for something like PsExec.exe (technet.microsoft.com/.../psexec.aspx), the Sysinternals tool, this has the Sophos Labs name of PsExec (www.sophos.com/.../PsExec.aspx), which is the value you should exclude it as when choosing an exclusion of type PUA. I.e. It's not the file name but the identifier given to the software by SophosLabs.

    You can exclude the item globally under:
    cloud.sophos.com/.../global-exclusions.
    This will allow all users on all devices to run it. If you need more control you can go into a specific policy and choose to allow it.

    If you want to clean it up; on the Dashboard, when the alert comes in there is the option to authorize (adds it to the global policy mentioned above) or clean it up. The clean-up action, if available will in effect send a instruction to the endpoint to initiate the same cleanup routine that you can see in the client Quarantine Manager.

    If you want to clean it up, but don't have the alert in the Control Center, you could do it from the client if the option is available. Some items that don't offer cleanup you might just have to use Programs and Features to uninstall it. It depends on the software how best to remove it.

    I hope this helps.

    Regards,
    Jak

  • 0
    I will give you more detail about this issue.

    On the computer A, a PUA was found. In order to get the file and analyze it (my first option is to upload it to virustotal), I accessed the same file via computer B, using a C$ shared path. So I accessed the very same file from two different computers. I had some issues trying to pause the on-access scan and get the file (maybe I will write a separate message), at the end I was able to analyze the file and decided to clean it: so on the dashboard I choose"clean" for computer A and ignore for computer B, since it is the same file.

    Now I understand that the best options for this scenario is to choose "clean" for both computers but now how can I remove the warning for computer B? From the quarantine manager on the client the only option is to authorize.

    Thank you
  • 0
    What I did to remove the warning
    - authorized the PUA client side
    - updated the device status in cloud console > the device went green
    - deauthorized the PUA client side (device is still green)

    Thank you for your help
Unfiltered HTML