Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 1 reply
  • Subscribers 1 subscriber
  • Views 1709 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos making it hard to remotely delete virii

givemecontrol

Just wondering if i am currently disinfecting correctly.

1) a virus is detected on a remote computer.

2) sophos enterprise console detects the virus, but for whatever reason cannot "clean" it  (fails)

3) I try and go to the path and delete the file manually

4) my local sophos detects that its a virus and locks the file, so I am unable to delete (grr)

5) I log into that machine, go to the file path, and sophos "quarantines" the file

6) on that machine (remote machine) I am able to select on the sophos console "delete" as an action

7) delete works fine and is able to delete the virus

the end result of this is that I have to log into the machine over RDP remotely, instead of just being able to a) delete the file from the sophos enterprise console or b) delete the file with normal file system tools over windows share (\\machine\c$\path\to\virus)

Is this how it is? I looked into the settings on the enterprise console, and it seems to allow me to set it up to automatically delete, which I obviously do not want because of false positives, or simply "deny access" to the file which is how it is set.

How do i allow myself as an operator of the sophos console to delete the file? all i have as actions is "cleanup" which seems not to work very well, and aknowledge, which does not get rid of the virus at all. Is there some way i can delete manually from the console? 

EDIT: also, are delete and clean the same? Sometimes I get delete, othertimes clean.

:45893


This thread was automatically locked due to age.
Parents
  • 0

    Hello givemecontrol,

    might be necessary to clarify a few things first:

    sophos enterprise console detects the virus

    SEC doesn't detect a (virus let's call it) threat. The scan takes place on the endpoint which in turn sends an alert to SEC

    for whatever reason cannot "clean" it  (fails)

    Like the scan any cleanup action is performed solely on the client- All that SEC does is to forward the instruction to attempt cleanup (which you manually requested using Resolve Alerts and Errors ...) to the endpoint

    my local sophos detects that its a virus and locks the file

    Sophos doesn't lock files, it only blocks access to them.  Regardless, delete is a permitted action

    on that ...remote machine ... on the sophos console

    Don't call it console, (G)UI is commonly used and the specific window is referred to as Quarantine manager (QM). Note that quarantine is nothing more than a list of detections which haven't been dealt with - either because the action defined in the policy failed or was not possible, the policy specified deny access only, or no action is associated with the threat (type).

    If you have Automatic cleanup enabled in the policy the majority of detections is dealt with on the endpoint and you only get a transient alert (which is cleared after successful cleanup) or no alert at all. Only for some of the detections you see a persistent alert. In many cases cleanup succeeds. Part of them can be dealt with if you run a scan with Delete as cleanup option. Only for a few a delete from the client (or remotely) is necessary.

    The distinct Cleanup and Delete are only shown in QM

    Christian

    :45913
Reply
  • 0

    Hello givemecontrol,

    might be necessary to clarify a few things first:

    sophos enterprise console detects the virus

    SEC doesn't detect a (virus let's call it) threat. The scan takes place on the endpoint which in turn sends an alert to SEC

    for whatever reason cannot "clean" it  (fails)

    Like the scan any cleanup action is performed solely on the client- All that SEC does is to forward the instruction to attempt cleanup (which you manually requested using Resolve Alerts and Errors ...) to the endpoint

    my local sophos detects that its a virus and locks the file

    Sophos doesn't lock files, it only blocks access to them.  Regardless, delete is a permitted action

    on that ...remote machine ... on the sophos console

    Don't call it console, (G)UI is commonly used and the specific window is referred to as Quarantine manager (QM). Note that quarantine is nothing more than a list of detections which haven't been dealt with - either because the action defined in the policy failed or was not possible, the policy specified deny access only, or no action is associated with the threat (type).

    If you have Automatic cleanup enabled in the policy the majority of detections is dealt with on the endpoint and you only get a transient alert (which is cleared after successful cleanup) or no alert at all. Only for some of the detections you see a persistent alert. In many cases cleanup succeeds. Part of them can be dealt with if you run a scan with Delete as cleanup option. Only for a few a delete from the client (or remotely) is necessary.

    The distinct Cleanup and Delete are only shown in QM

    Christian

    :45913
Children
No Data