Sophos doesn't move malware/virus

Question

Hello,

I have a problem with Sophos Endpoint Security & Control managed over the Sophos Enterprise Console. I did set the policy if a virus gets detected Sophos should deny access and move it to the default location C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

But if a virus/malware appears Sophos only denies access and doesn’’’’t move the file into the target folder. However the virus appears in the quarantine-manager and is still in the source directory e.g. C:\Users\test\Desktop but won’’’’t appear in C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED

I think it’’’’s a Sophos Client problem, the policy is transmitted successfully, because in the client options all the right settings are set.

The Sav log file only says that Sophos denied access, but nothing about moving the file to the infected folder.

Tested on Windows 7 and Windows Server 2008 R2, Sophos Client Version 10.2.

Best Regards and thanks in advance!

This thread was automatically locked due to age.

QC · Accepted Answer

Hello Nordfol, sounds like it is working as designed. A moved threat is considered as being successfully dealt with and therefore doesn't show up. Instead of referring you to the help and docs I'll quote the relveant chapter of the Help: About Quarantine manager Quarantine manager enables you to deal with the items found by scanning that were not eliminated automatically during scanning. Each item is here for one of the following reasons. No cleanup options (clean up, delete, move) were chosen for the type of scan that found the item. A cleanup option was chosen for the type of scan that found the item but the option failed. The item is multiply-infected and still contains additional threats. The threat has only been partially detected, and a full computer scan is needed to fully detect it. To find out how to do this, refer to Run a full computer scan The item exhibits suspicious behavior. The item is a controlled application. Note : Adware, PUAs, and multi-component infections detected during on-access scanning are always listed in Quarantine manager. Automatic cleanup of adware, PUAs, and multi-component infections is not available for on-access scanning. A cleanup option may have failed because of insufficient access rights. If you have greater rights, you can use Quarantine manager to deal with the item(s). Threats that are detected during web page scanning are not listed in Quarantine manager because the threats are not downloaded to your computer. Therefore, there is no need to take any action. Christian :44341