Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=PUA-alert-resolve

Resolve PUA alerts

This is what you can do to resolve PUA alerts.

We use alerts to tell you when you need to take action or if you need to investigate a Potentially Unwanted Application (PUA) detection. We also tell you if we've tried to clean up the PUA. We show this on the device's details page. See Devices.

We may also generate a threat graph. This gives more information on the detected PUA. See Threat Graphs.

Check whether the PUA is a false-positive

Malware detection can sometimes be incorrect. For example, Deep Learning (detection name: ML/PE-A) detection uses machine learning to identify malware not seen before. While it is highly effective, it can sometimes identify legitimate applications as malware.

If the detection is incorrect, you can allow the application or add an exclusion.

If the detection is correct, you should clean up the application.

If you're not sure that the application is malicious or a PUA, you should investigate the alert. You can then authorize or clean up the application as appropriate.

Investigate an alert

The alert might not give you all the information you need about a detected PUA. Review all the information you can for a detected PUA if you aren't sure whether it's malicious or unwanted.

To do this, do as follows:

  1. Check if there's a threat graph. In Sophos Central, go to Threat Analysis Center > Threat Graph.

  2. Look for a threat graph associated with the detected PUA.

    If there is a threat graph, it shows the details for the detected PUA. It shows any activity it has performed and whether there are other suspicious files or processes to investigate.

    1. If there isn't a threat graph, create one.

      Restriction

      You can't create a threat graph on Macs.

  3. Optional: If appropriate, get in touch with the user to find out what happened around the time the infection took place. For example, did they click a link in an email or connect a USB drive?

  4. Investigate the threat graph and follow the steps we suggest for dealing with the issue.

    For help on investigating threats using threat graphs, see Threat Graph analysis.

  5. When you've completed your investigation, choose from the following:

    • If you think the detection is incorrect, allow the application or add an exclusion. See Deal with a false positive.
    • If you think the detection is correct, clean up the application. See Clean up a PUA.

  6. Resolve the alert. See Resolve an alert

Deal with a false positive

If you think the detection is incorrect, you can allow the application or add an exclusion.

Warning

Be careful when you allow applications or add an exclusion. Doing this can reduce your protection.

For example, if you exclude a directory and then malware also runs from that location, the malware isn't blocked.

To deal with a false positive, do as follows:

For details, see the following sections.

Allow an application

Restriction

You can use this feature on Windows and Linux devices, but not on Macs.

If you want to allow an application, do as follows:

  1. Go to Devices > Computers or Servers, depending on where we detected the application.
  2. Find the device where the detection happened and view its details.
  3. On the Events tab, find the detection event and click Details.
  4. In the Event details dialog, look under Allow this application.

  5. Choose how you want to allow the application.

    • Certificate (Windows only): Allows other applications with the same certificate. We recommend this.
    • SHA-256 (Windows, Linux): Allows this version of the application. However, if you update the application, we could detect it again.
    • Path (Windows): Allows the application if it's installed in this location. You can use variables if the application is installed in different locations on different computers.

    • Path (Linux): Allows the application as long as it's installed in the path (location) shown. You can edit the path and use variables if the application is installed in different locations on different computers. You must use forward slashes.

      Note

      You can also use the following options to exclude a file path from scanning on Linux:

  6. Click Allow.

For more information on allowing applications, see Allowed applications.

Add an exclusion

If you want to add an exclusion, we recommend that you use policy-based exclusions. You can target your exclusions and make them as specific as possible.

To add an exclusion, do as follows:

  1. For endpoints, go to My Products > Endpoint > Policies and set up an exclusion.

    See Threat Protection Policy.

  2. For servers, go to My Products > Server > Policies and set up an exclusion.

    See Server Threat Protection Policy.

Authorize a PUA

For endpoints, you can authorize an application from the Alerts page.

To authorize an application, do as follows:

  1. Go to Alerts.
  2. Find the PUA alert.

  3. Click Authorize PUA.

    Warning

    • This authorizes the PUA to run on all computers.
    • For Windows and Linux, we recommend that you allow an application based on its certificate or SHA-256.

Clean up a PUA

If you think the detection is correct, you can clean up the application. You might find it helpful to investigate the PUA first. This helps you find out more information about any associated processes or other suspicious files.

To clean up a PUA, do as follows:

  1. Go to the computer.
  2. Delete the application, any associated processes, and registry keys.

Resolve an alert

When you've authorized or removed the application, you can resolve the alert.

To resolve an alert, do as follows:

  1. Go to Alerts.
  2. Go to the alert.
  3. Click Mark As Resolved.