Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +13 person also asked this people also asked this
  • Locked Locked
  • Replies 52 replies
  • Answers 6 answers
  • Subscribers 37 subscribers
  • Views 109115 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Remote quarantine cleanup?

K_M

A number of our devices have the status "Malware or potentially unwanted applications in quarantine".  Is there a way to remotely remove items from the quarantine (we are using Sophos Central)?



This thread was automatically locked due to age.
  • 0 in reply to Jiri Hadamek

    Thanks, as I mentioned this could be a product issue, I want to understand it so will try some testing at our end. If you see this again, especially if the message is showing in the console and the endpoint is showing as a green status then please log a support case so we can investigate the logs.

  • 0 in reply to PeterM

    EHLO,

    In our case the PUA file was inside the archive and that was listed under EVENTS of that device on Sophos Central.

    And that switched computer status from "Healthy" to "Questionable".

    Why Sophos doesn't remove PUA from archives?

    The problem here is that we need some kind of centralized tool in the Sophos Central, so we don't have to remotely access every problematic machine or, even worse, to be there locally every time a problem arises.

  • 0

    I know this is an older thread, but FYI, I wanted to let everyone know I wrote a PowerShell function to allow your help desk to perform the health service reset without annoying the user.  You'll need to login to Sophos Central to get the Tamper Protection Password.  Then, import the Powershell Module and run:

    "Reset-SophosHealthService -ComputerName <target> -TamperProtectionPassword <password>"

    It will then jump through the hoops - turn off tp, stop the service, rename the db, start the service, and turn on tp.  Of course you need local admin on the target computer.

    You can find the module on my public git repo: Sophos.psm1

    Hopefully that helps someone.  My goal was to make it easier for the help desk to handle these issues so that I didn't have to.

  • 0 in reply to Steve Custer

    Just for ease of use:

     

    This seems to be the current URL to the PowerShell-Script:

    https://github.com/ir0nh3at/Scripts/blob/master/Sophos%20Stuff/Sophos.psm1

     

    From a fast check this script looks good, but who am I to trust. Always check the scripts you are trying to run before doing so!

  • 0 in reply to ErikRange@SD

    Can someone please help me with this script, it keeps erroring out.

     

    Thanks

  • +1 in reply to jacqueline Feliciano

    Removing the event database as suggested in here worked for me.

    Turn off tamper protection, get an administrator prompt and execute:

    net stop "Sophos Health Service"
    ren "%ProgramData%\Sophos\Health\Event Store\Database\events.db" events.db.old
    net start "Sophos Health Service"

  • +1 in reply to Jiri Hadamek

    First you have to disable tamper protection of that endpoint. then simply click on the red color or amber color sophos helth status then it will direct you to Malware or potentially unwanted applications in quarantine with resolve button enabled.then click on the resolve button. Just IT :)

  • 0 in reply to Jeewan Wajiranga

    Hi Jeewan. I don´t want to be rude, but I think you have better read all discussion about this problem.

    The problem isn´t in  "How to remove database locally with tamper protection  disabled" on a "problematic" computer.

    The problem lies in the fact, that it "cannot be solved" from cloud console and that it needs local access of administrator.

     

    You simply restate known solution and (sorry for that)  I cannot see any value for this.

     

  • 0 in reply to Jiri Hadamek

    If Sophos is not able to automatically cleanup the files, I have seen that this has helped twice or so:

    Consider running Microsoft Autoruns to see if there are any unusual programs that are running automatically, and is triggering the detection.

    Sometimes it's a scheduled task that is running a script that seems unusual but may be causing behavior that is malicious and is triggering a detection. 

    For more information on MS Autoruns I recommend you read the official article here: https://technet.microsoft.com/en-gb/sysinternals/bb963902.aspx.

     

    Once you have located the process that is running some script that seems unusual, you can send the script sample or so that is being run to Sophos Labs for further review, and remove this from your machine. Once done, do another system scan to see if something is still being detected.

     

    There is no remote quarantine cleanup, and I understand that it is frustrating that this may need to be done on individual machines, but you can start with this to investigate what it is exactly that is causing the detection, and possibly where it is in an individual machine.

     

    Thanks,

  • 0

    Is there an official method for this?

    The thread has multiple suggestions, some of which don't seem to apply anymore, and a community proposal, but this should have an official, Sophos supported solution that is in the KB and not spread out among the discussion groups.

    It is a common request, Sophos should have an official answer with steps and/or tool to accomplish this task.
    Michael

Unfiltered HTML
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?