Alerts for Threat Protection
These are threat protection alerts.
There are the following types of threat protection alerts.
For information about a threat and advice on how to deal with it, click its name in the alert.
Alternatively, go to the Threat Analysis page on the Sophos website. Under Browse threat analyses, click the link for the type of threat, and then do a search for the threat or look in the list of latest items.
You might also see malware detections shown in the Events list as ML/PE-A, see ML/PE-A detection explained.
High
| Alert type | Description |
|---|---|
| Real-time protection disabled | Real-time protection has been disabled for a computer for more than 2.5 hours. Real-time protection should be turned on at all times. Sophos Support may advise you to turn it off for a short period of time in order to carry out an investigation. |
| Malware not cleaned up | Some detected malware could not be removed after a period of 24 hours, even if automatic cleanup is available. The malware was probably detected via a scan that does not provide automatic cleanup, e.g., an on-demand scan configured locally. You can deal with the malware in one of these ways:
|
| Manual cleanup required | Some detected malware could not be removed automatically because automatic cleanup is not available. Click Description in the alert to learn more about the threat and how to deal with it. If you need help, contact Sophos support. |
| Running malware not cleaned up | A program that was running on a computer and exhibited malicious or suspicious behavior could not be cleaned up. Click Description in the alert to learn more about the threat and how to deal with it. If you need help, contact Sophos support. |
| Malicious traffic detected | Malicious network traffic, possibly headed to a command-and-control server involved in a botnet or other malware attack, has been detected. Click Description in the alert to learn more about the threat and how to deal with it. If you need help, contact Sophos support. |
| Recurring infection | A computer has become reinfected after Sophos Central attempted to remove the threat. It may be because the threat has hidden components that haven't been detected. An in-depth analysis of the threat may be required. If you need help, contact Sophos support. |
| Ransomware detected | We have detected ransomware and blocked its access to the file-system. If the computer is a workstation, we clean up the ransomware automatically. You need to do as follows:
|
| Ransomware attacking a remote machine detected | We have detected that this computer is trying to encrypt files on other computers. We have blocked the computer's write access to the network shares. If the computer is a workstation, and Protect document files from ransomware (CryptoGuard) is enabled, we clean up the ransomware automatically. You need to do as follows:
|
Medium
| Alert type | Description |
|---|---|
| Potentially Unwanted Application (PUA) detected | Some software has been detected that might be adware or other potentially unwanted software. By default, potentially unwanted applications are blocked. You can either authorize it, if you consider it useful, or clean it up. |
| Authorize PUAs | You can authorize a PUA in one of two ways, depending on whether you want to authorize it on all computers or only some:
|
| Clean up PUAs | You can clean a PUA up in one of two ways:
|
| Potentially unwanted application not cleaned up | Potentially unwanted application could not be removed. Manual cleanup may be required. Click Description in the alert to learn more about the threat and how to deal with it. If you need help, contact Sophos support. |
| Computer scan required to complete cleanup | A threat cleanup requires a full computer scan. To scan a computer, go to the Computers page, click on the name of the computer to open its details page, and then click the Scan now button. The scan may take some time. When complete, you can see a "Scan 'Scan my computer' completed" event and any successful cleanup events on the Logs & Reports > Events page. You can see alerts about unsuccessful cleanup on the Alerts page. If the computer is offline, it will be scanned when it is back online. If a computer scan is already running, the new scan request will be ignored and the earlier scan will carry on. Alternatively, you can run the scan locally using the Sophos agent software on the affected computer. Use the Scan option in Sophos Endpoint on a Windows computer, or the Scan This Mac option in Sophos Anti-Virus on a Mac. |
| Reboot required to complete cleanup | The threat has been partially removed, but the endpoint computer needs to be restarted to complete the cleanup. |
| Remotely-run ransomware detected | We detected ransomware running on a remote computer and trying to encrypt files on network shares. We have blocked write access to the network shares from the remote computer's IP address. If the computer with that address is a workstation managed by Sophos Central, and Protect document files from ransomware (CryptoGuard) is enabled, we clean up the ransomware automatically You need to do as follows:
|