Skip to content

Resolve PUA alerts

This is what you can do to resolve PUA alerts.

We use alerts to tell you when you need to take action or if you need to investigate a Potentially Unwanted Application (PUA) detection. We also tell you if we've tried to clean up the PUA. We show this on the device's details page. See Devices.

We may also generate a threat graph. This gives more information on the detected PUA. See Threat Graphs.

Check whether the PUA is a false-positive

Malware detection can sometimes be incorrect. For example, Deep Learning (detection name: ML/PE-A) detection uses machine learning to identify malware not seen before. While it is highly effective, it can sometimes identify legitimate applications as malware.

If the detection is incorrect, you can allow the application or add an exclusion.

If the detection is correct, you should clean up the application.

If you're not sure that the application is malicious or a PUA, you should investigate the alert. You can then allow or clean up the application as appropriate.

Deal with a false positive

If you think the detection is incorrect, you can allow the application or add an exclusion.


Be careful when you allow applications or add an exclusion. Doing this can reduce your protection.

For example, if you exclude a directory and then malware also runs from that location, the malware isn't blocked.

To deal with a false positive, do as follows:

  • If you want to allow an application, do as follows.

    1. Go to Devices.
    2. Go to the Computers or Servers page, depending on where we detected the application.
    3. Find the device where the detection happened and view its details.
    4. On the Events tab, find the detection event and click Details.
    5. In the Event details dialog, look under Allow this application.
    6. Choose how you want to allow the application.
      • Certificate: We recommend this. It also allows other applications with the same certificate.
      • SHA-256: This allows this version of the application. However, if you update the application, we could detect it again.
      • Path: This allows the application if it is installed in this location. You can use variables if the application is installed in different locations on different computers.
    7. Click Allow. For more information on allowing applications see Allowed applications.
  • If you want to add an exclusion, we recommend that you use policy-based exclusions. You can target your exclusions and make them as specific as possible. To add an exclusion, do as follows:

    1. For endpoints, go to Endpoint Protection > Policies and set up an exclusion.

      See Threat Protection Policy.

    2. For servers, go to Server Protection > Policies and set up an exclusion.

      See Server Threat Protection Policy.

  • On endpoints, you can allow an application from the Alerts page. To do this, do as follows:

    1. Go to Alerts.
    2. Find the PUA alert.
    3. Click Authorize PUA.


      This authorizes the PUA to run on all computers. We recommend that you allow an application using its certificate or SHA-256.

You can now resolve the alert.

Clean up a PUA

If you think the detection is correct, you can clean up the application.

To do this, do as follows:

  • On endpoints, you can remove a PUA on the Alerts page. To do this, do as follows:

    1. Go to Alerts.
    2. Click Clean Up PUA This action might not be available if we detected the PUA in a network share. This is because the Endpoint Protection agent doesn't have sufficient rights to clean up files there.
  • If you can't clean up the PUA from the Alerts page, do as follows:

    1. Delete the application, any associated processes, and registry keys.

      You might find it helpful to investigate the alert as you can find out more information about any associated processes or other suspicious files.

Investigate an alert

The alert might not give you all the information you need about a detected PUA. You should review all the information you can for a detected PUA if you aren't sure whether it is malicious or unwanted.

To do this, do as follows:

  1. Check if there's a threat graph. In Sophos Central, go to Threat Analysis Center.
  2. Look for a threat graph associated with the detected PUA.

    If there is a threat graph, it shows the details for the detected PUA. It shows any activity it has performed and whether there are other suspicious files or processes to investigate.

  3. If there isn't a threat graph, create one.

  4. Optional: If appropriate, get in touch with the user to find out what happened around the time the infection took place. For example, did they click a link in an email or connect a memory stick?
  5. Investigate the threat graph and follow the steps we suggest for dealing with the issue.

    For help on investigating threats using threat graphs, see Threat Graph analysis.

  6. If you want to allow the application, follow the steps in “Deal with a false positive”.

  7. If you want to remove the application, follow the steps in “Clean up a PUA”.

You can now resolve the alert.

Resolve an alert

When you've allowed or removed the application, you can resolve the alert. To do this, do as follows:

  1. Go to Alerts.
  2. Go to the alert.
  3. Click Mark As Resolved.
Back to top