Skip to content

Deal with PUAs

This is how we deal with PUAs.

We block access to a potentially unwanted application (PUA) when we detect it.

We clean up PUAs automatically.

You can turn off automatic clean-up on Macs. If you do this and we detect a PUA, you'll get an alert asking if you want to clean it up.


We recommend that you don't turn off automatic clean-up.

How we clean up PUAs automatically

We clean up PUAs using the following methods:

  • On devices running Windows 7 or later, SophosClean (a component of our protection agents) cleans portable executable (PE) files, such as applications, libraries, and system files. This targets malware that affects .exe files.

    It doesn't target and clean up script-based malware.

    You can restore items in Sophos Central. SophosLabs can also restore files if we know there has been a false detection. For more help with restoring files, see How to investigate and resolve a potential False Positive or Incorrect Detection.

  • The antimalware components of our protection agents do all the cleaning up on Mac and Linux, and all non-PE cleaning up on Windows computers.

    There is no automatic or remote restore available for applications cleaned this way.

    On Windows, you can restore access to detected items using the command prompt on the affected computer.

Why cleanup doesn't happen

We can't always automatically clean up PUAs.

In some cases, this is because you need to do something for the process to complete. If clean up hasn't happened, check the following:

  • Check if the file location is read-only. For example, check if a network share has read-only permissions.
  • Check whether you need to start a scan.
  • Check whether you need to restart a device. You might need to do this if some files were locked.

In some cases, we can't clean up files. For example, our antimalware components require instructions for each identity or detection name. If these are unavailable, detection can happen, but we can't clean up the files.

We use alerts to tell you when you need to take action or if you need to investigate a PUA detection. The following table contains examples of alerts.

Message Description
Manual malware cleanup required Cleanup has been attempted but failed.
Manual PUA cleanup required Cleanup has been attempted but failed.
Malware not cleaned up Cleanup instructions aren't available for this detection type.
Computer scan required to complete cleanup You need to start a scan or wait for the next scheduled scan.

Deal with cleanup failures

You should investigate cleanup failures because they can indicate more serious issues. See Resolve PUA alerts.

For example, many threats have more than one component, and if one is active and undetected, it can lock other items. This prevents them from being removed if they're detected. This shows up as a cleanup failure on the detected component. You must find out if there's undetected malware present.

If there's a threat graph for the detection, you can use it to find out more information, such as how the detected item came to be on the system, what it has launched, or what else is present on the system associated with it.