Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 9459 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos "INFECTED" folder is huge, how can I delete the contents?

captainentropy

HI,

I can't belive this hasn't been asked (as far as I can tell).

The Sophos infected folder (C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\) is huge on my drive (4.7GB). How can I delete the files inside and recover that space? Every time I delete one it just returns.

Thanks!

:40469


This thread was automatically locked due to age.
Parents
  • 0

    Hello Steve_E,

    this might indeed be a backlog of messages, wonder where they are stored - I'd try to restart the Anti-Virus service (savservice.exe), if this doesn't help perhaps the Agent (or reboot).

    Anyway, the question is whether the items came from "somewhere else" or n-plicated in the \INFECTED folder. When moved to \INFECTED the files get an extension (usually .000) appended so that with the default/recommended settings they aren't picked up when the folder is browsed or otherwise accessed. Scan all files could (I think, I haven't tested it and don't want to :smileywink:) cause the file in \INFECTED to be rescanned and copied.  

    Otherwise either the files are immediately recreated when they are moves (in which case you have some as yet undetected rogue process) or write-locked and very frequently opened - the move fail but the file can be copied and with the next open this repeats.  

    It's a good idea to monitor clients which have Move in the On-Access settings and if running a scan when Move is configured for On-Access to exclude the \INFECTED folder just in case.

    Christian

    :45615
Reply
  • 0

    Hello Steve_E,

    this might indeed be a backlog of messages, wonder where they are stored - I'd try to restart the Anti-Virus service (savservice.exe), if this doesn't help perhaps the Agent (or reboot).

    Anyway, the question is whether the items came from "somewhere else" or n-plicated in the \INFECTED folder. When moved to \INFECTED the files get an extension (usually .000) appended so that with the default/recommended settings they aren't picked up when the folder is browsed or otherwise accessed. Scan all files could (I think, I haven't tested it and don't want to :smileywink:) cause the file in \INFECTED to be rescanned and copied.  

    Otherwise either the files are immediately recreated when they are moves (in which case you have some as yet undetected rogue process) or write-locked and very frequently opened - the move fail but the file can be copied and with the next open this repeats.  

    It's a good idea to monitor clients which have Move in the On-Access settings and if running a scan when Move is configured for On-Access to exclude the \INFECTED folder just in case.

    Christian

    :45615
Children
No Data