Deal with alerts about detected items

If you use role-based administration, you must have the Remediation - cleanup right to clean up detected items or clear alerts from the console. For more information, see Managing roles and sub-estates.

To take action against alerts displayed in the console:

  1. In the Endpoints view, select the computer(s) for which you want to see alerts. Right-click and select Resolve Alerts and Errors.
    The Resolve alerts and errors dialog box is displayed.
  2. The action you can take against an alert depends on the cleanup status of the alert. Look in the Cleanup status column and decide what action you want to take.
Tip You can sort alerts by clicking on a column heading. For example, to sort alerts by cleanup status, click the Cleanup status column heading.

Cleanup status

Description and actions to take


You can remove the item. To do this, select the alert or alerts and click Cleanup.

Threat type not cleanable

This type of detected item, for example, suspicious file, suspicious behavior or malicious network traffic, cannot be cleaned up from the console. You have to decide whether you want to allow or block the item. If you do not trust the item, you can send it to Sophos for analysis. For more information, see Find information about detected items.

Not cleanable

This item cannot be cleaned up from the console. For more information about the item and actions you can take against it, see Find information about detected items.

Full scan required

This item may be cleanable, but a full scan of the endpoint is required before the cleanup can be carried out. For instructions, see Scan computers now.

Restart required

The item has been partially removed, but the endpoint needs to be restarted to complete the cleanup.

Note Endpoints must be restarted locally, not from Sophos Enterprise Console.

Cleanup failed

The item could not be removed. Manual cleanup may be required. For more information, see Clean up computers now.

Cleanup in progress (started <time>)

Cleanup is in progress.

Cleanup timed out (started <time>)

Cleanup has timed out. The item may not have been cleaned up. This may happen, for example, when the endpoint is disconnected from the network or the network is busy. You may try to clean up the item again later.

If you decided to allow an item, see Authorize adware and PUAs or Authorize suspicious items.