Alerts for Threat Protection

These are threat protection alerts.

There are the following types of threat protection alerts.

For information about a threat and advice on how to deal with it, click its name in the alert.

Alternatively, go to the Threat Analysis page on the Sophos website. Under Browse threat analyses, click the link for the type of threat, and then do a search for the threat or look in the list of latest items.

You might also see malware detections shown in the Events list as ML/PE-A.

High

Alert type

Description

Real-time protection disabled

Real-time protection has been disabled for a computer for more than 2.5 hours. Real-time protection should be turned on at all times. Sophos Support may advise you to turn it off for a short period of time in order to carry out an investigation.

Malware not cleaned up

Some detected malware could not be removed after a period of 24 hours, even if automatic cleanup is available. The malware was probably detected via a scan that does not provide automatic cleanup, e.g., an on-demand scan configured locally. You can deal with the malware in one of these ways:

  • Clean it up centrally, by scheduling a scan in the policy (which will then have automatic cleanup enabled).
  • Clean it up locally, via the Quarantine Manager.

Manual cleanup required

Some detected malware could not be removed automatically because automatic cleanup is not available. Click on the "Description" in the alert to go to the Sophos website, where you can read advice on how to remove the threat. If you need help, contact Sophos Support.

Running malware not cleaned up

A program that was running on a computer and exhibited malicious or suspicious behavior could not be cleaned up. Click on the "Description" in the alert to learn more about the threat and how to deal with it. If you need help, contact Sophos Support.

Malicious traffic detected

Malicious network traffic, possibly headed to a command-and-control server involved in a botnet or other malware attack, has been detected. Click on the "Description" in the alert to learn more about the threat and how to deal with it. If you need help, contact Sophos Support.

Recurring infection

A computer has become reinfected after Sophos Central attempted to remove the threat. It may be because the threat has hidden components that haven't been detected. An in-depth analysis of the threat may be required. Please contact Sophos Support for assistance.

Ransomware detected

We have detected ransomware and blocked its access to the file-system. If the computer is a workstation, we clean up the ransomware automatically. You need to do as follows:

  • If you still need to clean up: Move the computer temporarily to a network where it is not a risk to other computers. Go to the computer and run Sophos Clean (if it isn't installed, download it from our website).

    You can run Sophos Clean on a server from Sophos Central. See Alerts.

  • If automatic sample submission isn't enabled, send us a sample of the ransomware. We'll classify it and update our rules: if it's malicious, Sophos Central will block it in future.
  • Go to Sophos Central, go to Alerts, and mark the alert as resolved.

Ransomware attacking a remote machine detected

We have detected that this computer is trying to encrypt files on other computers.

We have blocked the computer's write access to the network shares. If the computer is a workstation, and Protect document files from ransomware (CryptoGuard) is enabled, we clean up the ransomware automatically.

You need to do as follows:

  • Make sure that Protect document files from ransomware (CryptoGuard) is enabled in the Sophos Central policy. This provides more information.
  • If cleanup doesn’t happen automatically: Move the computer to a network where it is not a risk to other computers. Then go to the computer and run Sophos Clean (if it isn't installed, download it from our website).
  • Go to Sophos Central, go to Alerts, and mark the alert as resolved.

Medium

Alert type

Description

Potentially Unwanted Application (PUA) detected

Some software has been detected that might be adware or other potentially unwanted software. By default, potentially unwanted applications are blocked. You can either authorize it, if you consider it useful, or clean it up.

Authorize PUAs

You can authorize a PUA in one of two ways, depending on whether you want to authorize it on all computers or only some:

  • On the Alerts page, select the alert and click the Authorize PUA button in the upper right of the page. This authorizes the PUA on all computers.
  • Add the PUA to the scanning exclusions in the malware protection policy. This authorizes the PUA only on computers to which the policy applies.

Clean up PUAs

You can clean a PUA up in one of two ways:

  • On the Alerts page, select the alert and click the Cleanup PUA(s) button in the upper right of the page.
  • Clean it up in the agent software's Quarantine Manager on the affected computer.

Cleanup might not be available if the PUA has been detected in a network share. This is because the Sophos agent does not have sufficient rights to clean up files there.

Potentially unwanted application not cleaned up

Potentially unwanted application could not be removed. Manual cleanup may be required. Click on the "Description" in the alert to learn more about the application and how to deal with it. If you need help, contact Sophos Support.

Computer scan required to complete cleanup

A threat cleanup requires a full computer scan. To scan a computer, go to the Computers page, click on the name of the computer to open its details page, and then click the Scan now button.

The scan may take some time. When complete, you can see a "Scan 'Scan my computer' completed" event and any successful cleanup events on the Logs & Reports > Events page. You can see alerts about unsuccessful cleanup on the Alerts page.

If the computer is offline, it will be scanned when it is back online. If a computer scan is already running, the new scan request will be ignored and the earlier scan will carry on.

Alternatively, you can run the scan locally using the Sophos agent software on the affected computer. Use the Scan option in Sophos Endpoint on a Windows computer, or the Scan This Mac option in Sophos Anti-Virus on a Mac.

Reboot required to complete cleanup

The threat has been partially removed, but the endpoint computer needs to be restarted to complete the cleanup.

Remotely-run ransomware detected

We detected ransomware running on a remote computer and trying to encrypt files on network shares.

We have blocked write access to the network shares from the remote computer's IP address. If the computer with that address is a workstation managed by Sophos Central, and Protect document files from ransomware (CryptoGuard) is enabled, we clean up the ransomware automatically

You need to do as follows:

  • Find the computer where the ransomware is running.
  • If the computer is managed by Sophos Central, make sure that Protect document files from ransomware (CryptoGuard) is enabled in the policy.
  • If cleanup doesn’t happen automatically: Move the computer to a network where it is not a risk to other computers. Then go to the computer and run Sophos Clean (if it isn't installed, download it from our website).
  • Go to Sophos Central, go to Alerts, and mark the alert as resolved.