How to remove malware threats with Sophos Anti-Virus

  • Article ID: 112129
  • Rating:
  • 427 customers rated this article 2.2 out of 6
  • Updated: 31 Oct 2014

Sophos Anti-Virus allows you to quickly and easily clean up the majority of malware detected.  However depending on the specific threat detected the cleanup process can involve more steps.

This article provides instructions on how to cleanup the majority of malware using either the central Enterprise Console or the local anti-virus program.

Applies to the following Sophos product(s) and version(s)

Sophos Anti-Virus for Windows 2000+
Sophos Anti-Virus for Unix
Sophos Anti-Virus for OpenVMS
Sophos Anti-Virus for Mac OS X
Sophos Anti-Virus for Linux
Enterprise Console

Cleaning malware via the Enterprise Console


  • Malware alerts appear against computers in the console if the Anti-Virus and HIPS policy is set to not automatically clean up detected items (by default automatic cleanup is enabled).  Otherwise you will need to check the Computer Details of a computer (double-click a computer name to open), or run a report to see what endpoint computers have detected and cleaned up.
  • The success of cleaning up malware can depend on whether a full scan has been run on the affected endpoint computer or not - some detections require this.  If a full scan has not successfully completed you can continue with the steps below but if cleanup fails this may be the cause.

To clean a detection in the console:

  1. Right-click on a single computer, or a computer group, and select 'Resolve Alerts and Errors'.  Example:

  2. On the 'Alerts' tab set the 'Show' filter as desired to limit the type of detections (Viruses/Spyware, Suspicious behavior/file, Adware/Potentially Unwanted Application), or set to 'All alerts' to see everything.
  3. If there is more than one item listed, locate the computer that you want to cleanup.

    Important: Make a note of the 'Cleanup status' column.  This should say 'Cleanable' and if not the cleanup process will most likely fail.  If the status is not cleanable then ensure a full scan has been run on the computer and has completed.  For more help with items that cannot be cleaned up see the Further help cleaning up malware section at the bottom of this article.

  4. Check the box next to the computer name and select 'Cleanup'.  Alternatively you can click 'Select all' to check all alerts listed and clean up multiple alerts at one time.  Note: Selecting multiple items means you may be selecting an alert that is not cleanable as described in the point above.

    The 'Cleanup Status' column will change to 'Cleanup in progress..' while the process completes.  Example:

    At this point a message is sent (via the Sophos Remote Management System (RMS)) to the endpoint computer.  Once the local anti-virus has cleaned the item and reported that to the console, the item will disappear from the list.  If there is a communication delay or problem with RMS the item may take time to disappear or fail.

Cleaning malware locally on an endpoint computer

Follow the section below for the operating system installed on your computer.


To remove malware from the local computer:

  1. From the desktop open the main Sophos Anti-Virus program by double-clicking the Sophos shield.  Select 'Yes' if you are prompted by 'User Account Control' (UAC) to allow the action.
  2. Click on 'Manage quarantine items'.
  3. In the Quarantine Manager, click the 'Available actions' column header to sort the list of threats according to the action available.
  4. Depending on what is shown in the 'Available actions' column follow the steps below:

    Action available Steps required
    Clean up Select the items displaying this option and then click 'Perform action' | 'Clean up'
    Full scan required
    1. Click on 'Home' and then 'Scan my Computer' to initiate a scan
    2. Once the scan has complete, return to the Quarantine Manager and then clean up the detected items as per the results shown in the Actions column.

    For further details on running a full scan locally see article 61665.

    Partially removed.  Reboot required to complete the cleanup
    1. Select these items and then click 'Clear from List'
    2. Click on 'Home' and then 'Scan my Computer' to initiate a scan
    3. Once the scan has complete, return to the Quarantine Manager to deal with any remaining items.
    4. If this appears a second time for the same items, please contact your IT administrator.
    Manual clean up required  Confirm the location of item detected and see if the drive/path is still accessible and if the file/item still exists.  Otherwise see the Further help cleaning up malware section at the bottom of this article.
    Insufficient rights, please contact your administrator

    The item has been detected in an area of the computer's hard drive that your account (that you use to log on to the computer with) does not have permission to access.  Generally this occurs because your account is not a local administrator of the computer.  You should log off the computer and log back on with a local administrator account (try another admin account if you believe you should have the correct permissions, or log on with just a local admin account if you are using a domain admin account).

    If you are not an IT administrator of the computer, contact your IT service desk to assist with cleanup.

    Delete, Move, Authorize If you are shown these results, please check the type of detection and continue as appropriate

  5. If you have cleaned up all of the items, but are finding that they are returning to your computer see the Further help cleaning up malware section at the bottom of this article..

Note: If manual cleanup is required, you must locate and navigate to the file and then delete it.

Mac OS X


  1. Use savscan with the -remove option.  As an example, from Terminal run:

    savscan -remove

  2. Run a scan to check that malware infected files were deleted.


  1. Use SWEEP with the -remove option.  As an example, from Terminal run:

    sweep -remove

  2. Run a scan to check that malware infected files were deleted.



Further help cleaning up malware

Most malware can be cleaned up in a few clicks; however as there are many different types of malware, that infect or attempt to infect a computer by different methods, you may need to take extra steps to complete the process.

Understanding your particular scenario can help reveal the problem with cleanup.  Common problems are shown in the table below along with suggested further actions.

Problem Causes What to do
Cleanup from the Enterprise Console fails The Remote Management System (RMS), that is used to pass the message to the endpoint computer to cleanup, isn't working correctly. Successful cleanup via the Enterprise Console relies on RMS to be fully working.  The management server needs to be able to first send the message to the endpoint, and then receive the success message.  Check the envelopes folder on the management server does not have a backlog of messages, otherwise troubleshoot RMS connections.


  • From the console the item is 'Not Cleanable'


  • Manual clean up is required on the endpoint.

Sophos Anti-Virus requires a full scan is required but was not run.

Run a full scan.  See article 61665 for running a full scan locally.  Or from the Enterprise Console see article 25358.

Note: For Mac computers commonly the item that fails to be cleaned up is in a Time Machine backup - see article 118117 for more details.

Sophos Anti-Virus cannot determine (or access) all parts of the threat, or it doesn't fully understand the infection to attempt clean up.
  1. Search for the detection name and see if SophosLabs have provided custom cleanup steps for the threat - if so follow those instructions.  If not you may be referred back to this article.
  2. Take the path and file detected.  See if the path is accessible and that the item still exists.  Commonly the item no longer exists or cannot be accessed.
  3. SophosLabs may needs to further analyse the detection and release an update to help with the cleanup.  Locate the file and send a sample of it to our lab stating cleanup fails.  If you are unable to locate the sample follow the SMART process.
After cleaning up the threat it comes back. The malware is being transferred to the computer when it connects to the local network or internet.  Or an undetected item of malware reloads the detected item on reboot. Initially you should isolate the computer by disabling wifi and/or removing the network cable and test again.  Otherwise follow the SMART process.

If your problem isn't listed in the table above let us know in the article feedback box.  Provide as much detail as you can and we'll endeavor to update this article.  Note: We cannot reply to individual support requests from the article feedback form.  If you need further support contact us.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent