This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos "INFECTED" folder is huge, how can I delete the contents?

HI,

I can't belive this hasn't been asked (as far as I can tell).

The Sophos infected folder (C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\) is huge on my drive (4.7GB). How can I delete the files inside and recover that space? Every time I delete one it just returns.

Thanks!

This thread was automatically locked due to age.

0 QC over 12 years ago

Hello captainentropy,
this isn't normal. When the respective cleanup option is set Sophos moves malicious and optionally suspicious files to the \INFECTED folder in response to a detection. This is accompanied by a corresponding desktop alert (a balloon attached to the Sophos icon which you should notice). This setting is not the (recommended) default - thus it has either been made by you (in which case you should know why you did it and how to deal with the consequences) or by central management and you should ask you Sophos administrator especially if you don't get any desktop alerts).
Christian
:40481
Cancel
Vote Up 0 Vote Down

Cancel
0 Steve_E over 11 years ago

I have a similar (though much worse) problem.
I was having occasional infected files detected and quarantined, but i was unable to 'clean up' from quarantine. Sophos support suggested sending them a sample of one of these files and in order to get a sample told me to change my Sophos cleanup settings from 'Deny Access' to 'Deny Access and move to the INFECTED folder'.
I got to work this morning and a different virus has appeared (Mal/EnkPK-AER) and has sent over 600,000 items to the INFECTED folder at over 100 gig in size. Sophos support could only suggest running another 'full system scan' which i have now done but this normally takes over 24 hours on this machine. The scan has picked up some more Mal/EnkPK-AER infections but 'clean up' is not available and only a 'manual' cleanup will solve. I have now emptied the INFECTED folder, and changed my Clean-up settings back to 'Deny Only' so that nothing else gets copied into the INFECTED folder.
However Quarantine Manager is still finding Mal/EnkPK-AER and putting them into quarantine, saying that the source of the virus is from the INFECTED folder. As there is nothing in the INFECTED folder, are these alerts the backlog from my 600,000 items that were in the INFECTED folder, and if so is there anyway of stopping Sophos from picking these up, as other wise i'm just constantly clearing the Quarantine list, but for so many items this could take a huge amount of time to finish.
:45607
Cancel
Vote Up 0 Vote Down

Cancel
0 QC over 11 years ago

Hello Steve_E,
this might indeed be a backlog of messages, wonder where they are stored - I'd try to restart the Anti-Virus service (savservice.exe), if this doesn't help perhaps the Agent (or reboot).
Anyway, the question is whether the items came from "somewhere else" or n-plicated in the \INFECTED folder. When moved to \INFECTED the files get an extension (usually .000) appended so that with the default/recommended settings they aren't picked up when the folder is browsed or otherwise accessed. Scan all files could (I think, I haven't tested it and don't want to :smileywink:) cause the file in \INFECTED to be rescanned and copied.
Otherwise either the files are immediately recreated when they are moves (in which case you have some as yet undetected rogue process) or write-locked and very frequently opened - the move fail but the file can be copied and with the next open this repeats.
It's a good idea to monitor clients which have Move in the On-Access settings and if running a scan when Move is configured for On-Access to exclude the \INFECTED folder just in case.
Christian
:45615
Cancel
Vote Up 0 Vote Down

Cancel