Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 0 replies
  • Subscribers 11 subscribers
  • Views 2741 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Alert Forwarding/Clearing The Quarantine

TomZobl

Today I logged into Sophos Central to sort through alerts. I have always just used the "Alerts" section, assuming that between the medium and high alerts, anything that required our attention would be presented there. When I navigated to the device section, many devices display either a yellow or red status next to them.

Upon further investigation the messages contained within were:

  • Sophos services missing/not running.
  • Sophos agent has not checked in in 30+ days
  • Malware/PUP running in quarantine.

These are all items which are not shown in the Alerts section, and I consider them to be of higher importance than "Reboot Required After Update". 

There also does not appear to be a reliable way to clear these alerts. Starting the missing Sophos services then triggering an agent update does clear that particular one. The one I'm specifically addressing is the malware running in quarantine.

When I look at the most recent events, a lot of the detection events are from very long ago and the files are no longer present on the machine. To ensure this is the case, I run multiple 3rd party AV scans against the machine to ensure that nothing else is found. I then re-run a Sophos scan, restart the computer and attempt to trigger an update from the dashboard. The Sophos GUI and the Central Dashboard for the customer still shows the machine with a yellow/red status with the same message. There does not appear top be a way to clear the alert from any Sophos interfaces, and the alert message is still not forwarded to the "Alerts" page for that customer. 

Reinstalling the AV software is not an acceptable solution either.

Sophos is already tedious enough to manage with just logging in, 2-factor, and then waiting for the page to load at 5-10 seconds each time new content is requested. Having to scroll the device page to find alerts that were not forwarded to our MSP Central dashboard, and then not being able to reliably clear the ones we find after the fact is very frustrating.

Any suggestions/workarounds to make this process less tedious and to allow us to clear alerts that are no longer present on the machine would be very appreciated.



This thread was automatically locked due to age.
Unfiltered HTML