Guest User!
You are not Sophos Staff.
In my organization, I have 13 computers that show with an alert (yellow !) in the Sophos Central, but when I look at the status and events, there aren't any issues. How can I clear these yellow (!) so I can get the statuses back correct for reporting.
I've attached an image of one of the thirteen workstations. 
Do you have the details of the detection from Central that caused this outstanding alert? Presumably in the Event history for the computer in Central there was an event such as:
Malware detected: 'EICAR-AV-Test' at 'C:\Users\user1\Desktop\test.zip'
As a result, at the endpoint, in the Client UI, there is an "Open" event in the Events list such as:
This is mirrored in Central as:
In the case of malware in an archive, which is what we have in this example (I just put the Eicar string in a .txt file, zipped it up and right-click scanned it); Sophos will not delete the zip as there could be a file in the archive that you want. So this is a bit of a special case as there is no cleanup routine to unpack, remove parts of the archive and re-create the archive.
Note: There is no danger of the file executing as it would need to be unpacked and run at which point the on-access scanner would do its job.
In this case, if I delete the file from disk and start a scan, once complete the state then becomes:
At this point a message is sent to Central to confirm the health is good.
Under: C:\ProgramData\Sophos\Health\Event Store\Trail\ (in this case SAV-[GUID]) I see the "events.sav.threat.created" event for this detection and then the "events.sav.threat.cleared" event. These make up the details in the UI.
It's for this reason the alert that caused the event is probably significant. Do you know what the alerts were on these clients that caused the event?
Regards,
Jak
Thanks for responding. Two examples
1) One computer X, these events triggered back in June that the Device, Data Loss Prevention, Tamper Control, Application Control and Malware Protection wasn't running.
2). This computer has a PUA that we've approved and made and exception for, but it keeps triggering. I cannot get it to clear.
For the second case, I.e. an alert for the PUA: "Generic PUA LF". If you are happy to authorize this PUA, then "Globally" under https://cloud.sophos.com/manage/endpoint/config/settings/scanning-exclusions (applies to all computers) you should be able to set:
After clicking Save, within 20 seconds, the file "C:\ProgramData\Sophos\Sophos Anti-Virus\Config\machine.xml" on the endpoint should be updated. The significant part of the file here is:
<quarantineManager>
....
<authorisedList policy="0"><item>Generic PUA LF</item></authorisedList>
<authorisedFileList policy="0" xml:space="preserve"/>
</quarantineManager>
Note: This PUA has spaces in the name, which need to be kept.
You could check if the computers have this value in machine.xml. Note: you will probably have to copy and paste it to say the desktop to open it.
For the other alert, these are just policy compliance which I would imagine are transitory and should be fixed.
"C:\Program Files\Sophos\Endpoint Self Help\SophosDiag.exe" might worth a run to check that:
1. The client is communicating OK with Central.
2. The policy times look good.
3. Worth checking that on the System page, the Endpoint ID value aligns with the computer you are looking at in Central. The URL has this same GUID in it, e.g. cloud.sophos.com/.../summary
For reference the cached policy files live here on the endpoint: "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\". You can see each component has a sub-directory. All the ones in the screenshot you provided belong to the SAV component so would be under: "C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\".
Regards,
Jak
P.S. I updated my previous post with a little more info.
