'Malware' is the general term we use to describe any and all computer threats including Trojans, Worms, and computer Viruses. Sophos Anti-Virus allows you to quickly and easily clean up the majority of malware detected. However, depending on the specific threat detected, the cleanup process may involve a number steps.
This article provides instructions on how to clean up the majority of malware using either the central Enterprise Console or the local anti-virus program.
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+
Sophos Anti-Virus for Unix
Sophos Anti-Virus for OpenVMS
Sophos Anti-Virus for Mac OS X
Sophos Anti-Virus for Linux
Cleaning malware via the Enterprise Console
- The default configuration of an Anti-Virus & HIPS policy is to automatically clean up all malware detections, and following successful cleanup you will not see an alert against the endpoint in the console - this is by design. Therefore you are only alerted when an action on your part is required. If you want to see detections of malware that have been successfully cleaned up, either check the 'Computer Details' of a computer (double-click a computer name to open), or run a report to see what endpoint computers have detected and cleaned up malware.
- The success of cleaning up malware can depend on whether a full scan has been run on the affected endpoint computer. Some detections require this. If you have not already run and completed a full scan you can continue with the steps below, but if cleanup fails this may be the cause.
To clean a detection in the console:
- Right-click on a single computer, or a computer group, and select 'Resolve Alerts and Errors'. Example:
- On the 'Alerts' tab you can set the 'Show' filter to limit the type of malware you want to detect (Viruses/Spyware, Suspicious behavior/file, Adware/Potentially Unwanted Application) or you can set it to 'All alerts' to see everything.
- Make a note of the 'Cleanup status' column. This should say 'Cleanable' and if it does not the cleanup process will most likely fail. If the status is not 'Cleanable' and you have not already run a full scan run one now. If you have run a full scan and the item is still showing as not cleanable see the Further help cleaning up malware section at the bottom of this article.
- Check the box next to the computer name and select 'Cleanup'. Alternatively you can click 'Select all' to check all alerts listed and clean up multiple alerts at one time. Note: Selecting multiple items means you may be selecting an alert that is not cleanable as described in the point above. If one or more items is not cleanable the console will prompt to cleanup only those that are cleanable.
The 'Cleanup Status' column will change to 'Cleanup in progress..' while the process completes. Example:
At this point a message is sent (via the Sophos Remote Management System (RMS)) to the endpoint computer. Once the local anti-virus has cleaned the item and reported back to the console, the item will disappear from the list. If there is a communication delay or problem with RMS the item may take time to disappear.
Any item successfully cleaned up will disappear from the list. If the endpoint needs to be rebooted for complete cleanup you will see 'Restart required' and hence should reboot the endpoint to finish cleanup and clear this alert. For other cleanup statuses see the Further help cleaning up malware section below.
Cleaning malware locally on an endpoint computer
Follow the section that applies to the operating system installed on your computer.
To remove malware from the local computer:
- From the desktop open the main Sophos Anti-Virus program by double-clicking the Sophos shield. If you are prompted by 'User Account Control' (UAC) to allow the action, select 'Yes'.
- Click on 'Manage quarantine items'.
- In the Quarantine Manager, click the 'Available actions' column header to sort the list of threats according to the action available.
- Depending on what is shown in the 'Available actions' column, follow the steps below:
|Available action ||Steps required |
|Clean up || |
Select the items displaying this option and then click 'Perform action' | 'Clean up'. If further action is required (e.g., reboot) the Available action will change and it is described elsewhere in this table.
|Move || |
Click the 'move' option and select either 'Yes' or 'Yes To All' (for multiple items). The detected item(s) is moved from its current folder path to C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\. Moving does not delete or cleanup the item.
This option is useful when trying to obtain a sample of the file to submit to SophosLabs but it is blocked by the on-access scanner.
|Delete || |
The item detected will be categorized as a virus or spyware - not adware or a PUA. Therefore you have the option to 'delete' the item. Note: If the option to delete appears alongside the option to clean up, we recommended you use the clean up option first. If clean up is unsuccessful use the delete option.
Click the 'Delete' option and Sophos Anti-Virus will remove the entire item from your computer. It will not attempt to remove malicious parts of the file and save the good parts (i.e., a disinfection process).
This option is generally OK for completely malicious files like Trojans (detected as 'Troj/...'). However if the file being detected is a legitimate file (like an important office document you created yourself) you should consider selecting 'Clean up' rather than 'Delete' as this may save enough information in the file so it is not completely lost - however this cannot be guaranteed. If you do have a backup of the file then you can delete the entire file now and restore a clean copy of the file from your backup once your computer is clean.
|Full scan required || |
- Click on 'Home' and then 'Scan my Computer' to initiate a scan.
- Once the scan has completed, return to the Quarantine Manager and then clean up the detected items as per the results shown in the Actions column.
For further details on running a full scan locally see article 61665.
|Partially removed. Reboot required to complete the cleanup || |
- Reboot the computer.
- Go back to the Quarantine Manager, which will refresh, and see what is listed.
- If items are listed, you should again check the now-refreshed 'Available Actions' listed against this table.
Normally if cleanup is successful, items should clear from the Quarantine Manager completely. If cleanup fails it should mark the item 'manual cleanup required' (see below).
|No actions (manual cleanup required) |
No actions (cleanup incomplete, manual removal required)
Manual cleanup is commonly required for one of two reasons:
- The file/item was detected in a location that is no longer accessible (like a USB pen drive that has been unplugged).
- Or there a file/item Sophos Anti-Virus cannot delete and you must delete it.
The item detected may actually be a program that can be uninstalled so check this first.
- Note the name of the item as shown in the Quarantine Manager. Example:
- Open Add/Remove Programs from Control Panel.
- Scroll down the alphabetical list of installed programs and see if the name is mentioned. Example:
- Uninstall the program using its removal program. There maybe more than one item listed.
- Once the uninstaller has completed, move back to the Quarantine Manager where the item will still be shown.
- Click the 'more' option in the 'Details' column to display a list of detected components.
- Right-click the first item listed (there may be one or more items) and select 'Open location'. Windows Explorer will take you to the folder containing the item.
Delete the item from the folder by clicking on it once with the left mouse button and then pressing shift + delete on the keyboard - this by-passes the Recycle Bin. Click 'Yes' to confirm the deletion.
Note: You can delete multiple items in the same folder at the same time by dragging the mouse cursor over them and pressing Shift + Delete. You don't have to delete item like this - it's just recommended, but if you delete items in the normal way ensure you empty the Recycle Bin afterwards.
If the item no longer exists you will see an error message saying
Error displaying this folder's content - this means the location no longer exists and you can try to open the location of the second item and check if that exists.
Note: If the component detected ends with
FILE:0000 or similar then the component was detected as it was attempting to run and will not exist on disk - you can therefore ignore all detected components that end like this.
- Repeat step seven for any additional items.
Once you have manually deleted the files from your computer, clear the item from the Quarantine Manager.
We recommend that you now run a full scan to confirm your computer is free of malware.
For more information on removing problematic malware see the Further help cleaning up malware section at the bottom of this article.
|Insufficient rights, please contact your administrator || |
The item has been detected in an area of the computer's hard drive that your account (that you use to log on to the computer with) does not have permission to access. Generally this occurs because your account is not a local administrator of the computer - the account used to perform actions changes depending on the action. You should log off the computer and log back on with a local administrator account (try another admin account if you believe you should have the correct permissions, or log on with just a local admin account if you are using a domain admin account).
If you are not an IT administrator of the computer, contact your IT service desk to assist with cleanup.
It's also important to check your user account's rights for the Quarantine manager. From the Sophos Endpoint Security and Control Home screen, select Anti-virus and HIPS | Configure anti-virus and HIPS | Configure | User rights for Quarantine manager. If you are logged on as a Windows administrator, ensure your are configured as a 'Sophos Administrator' too.
|Authorize || |
If you are given the option to 'Authorize' an item then Sophos Anti-Virus has detected that it is either Adware or a Potentially Unwanted Application (PUA). These items are not necessarily malicious.
- Adware may, for example, pop up advertisements or try to open browser windows to sites you didn't choose to visit - all in the hope that you will buy something that is shown. It is generally an annoying experience and the software doesn't intentionally 'infect' your computer nor aim to do it damage. However bad design or missed programming bugs means it can cause the computer problems. Adware may attempt to monitor your browsing habits to 'better' target ads at you.
- PUAs are programs that you may not need or want on a corporate (business) computer - they may be perfectly fine for home or private users, or even experienced IT admins at work in need of advance troubleshooting tools. PUAs are detected and blocked etc. via Sophos' Application Control feature.
The option to 'Authorize' may be shown on its own or you may get the choice to either 'Authorize' or 'Clean up'.
See the instructions for 'No actions (manual cleanup required)' above for guidance.
- If you have the option to clean up the detection, select that option. Follow the on-screen instructions, and then re-scan the computer to confirm nothing is re-detected.
- If you only have the option to 'Authorize' you must remove the detected item manually as it is an installed program. Manual removal requires you to first check if the program has an uninstaller and run that and then delete the items detected if they remain on the computer.
|Reveal || |
This can be reported when the rootkit disk scan finds 'hidden' files.
- Click the 'reveal' action.
- Reboot the computer.
- Perform a full computer scan ('Scan my computer') - this should then detect the previously 'hidden' threat.
- Attempt cleanup of the threat as described elsewhere in the table.
- If you have cleaned up all of the items, but find that they return to your computer, refer to the Further help cleaning up malware section at the bottom of this article.
Mac OS X
- Use savscan with the -remove option. As an example, from Terminal run:
- Run a scan to check that malware infected files were deleted.
- Use SWEEP with the -remove option. As an example, from Terminal run:
- Run a scan to check that malware infected files were deleted.
Further help cleaning up malware
Most malware can be cleaned up in a few clicks. However, as there are many different types of malware that infect, or attempt to infect, a computer by various methods, you may need to take extra steps to complete the process.
Understanding your particular scenario can help reveal the problem with cleanup. Common problems are shown in the table below, along with suggested further actions.
|Problem ||Causes ||What to do |
From the Enterprise Console the cleanup status shows 'Cleanup failed'
|SAV does not have full cleanup information. ||In order to best protect you SophosLabs can choose to release protection earlier without full cleanup instructions. This means you are less likely to be infected by a new piece of malware as it is blocked from running. However, if the malware does run, then the program may not have full cleanup instructions. In this case we recommend you use the 'Details' column to see the path of the file/item detected and then submit a sample of it to us, indicating that automatic cleanup is failing. SophosLabs can analyze the sample and release enhanced cleanup instructions quickly. Once this update reaches the endpoint cleanup will be successful. |
From the Enterprise Console the cleanup status is stuck on 'Cleanup in progress' for a long time or says 'Cleanup timed out'
|The Remote Management System (RMS) that is used to pass the message to the endpoint computer, instructing it to cleanup, isn't working correctly. ||Successful cleanup via the Enterprise Console requires RMS to be fully working. The management server needs to be able to first send the message to the endpoint, and then receive the success message. Check that the envelopes folder on the management server does not have a backlog of messages, if there is a backlog of messages troubleshoot RMS connections to your endpoint computers. If you are unable to resolve the communication issues move to the endpoint and continue to resolve the malware detected locally. |
|The item detected is running in memory. ||Reboot the endpoint computer and run another scan. |
|The item no longer exists on the computer or is not accessible (e.g., a pen drive has been removed from the computer). ||Clear (acknowledge) the item so it is cleared from the list. Then run another scan of the computer. |
From the Enterprise Console the cleanup status shows 'Not cleanable'
Sophos Anti-Virus requires a full scan but it has not been run.
Run a full scan. See article 61665 for how to run a full scan locally, or article 25358 for how to run it from Enterprise Console
Note: For Mac computers, most commonly the item that fails to be cleaned up is in a Time Machine backup - see article 118117 for more details.
|The item detected was attempting to be extracted from a compressed file (e.g., .zip file) or was temporarily opened by an application (e.g., Outlook opening a PDF attachment) and therefore does not actually exist in the location detected because it was a temporary file. || Confirm the path mentions a .zip file, or ends FILE:0000. If so clear/acknowledge the alert. SAV does not clean up entire zip files because removing the entire zip may not be desirable. Since the path contains the name of the zip file you can locate and delete the entire file if it you do not require any of its content. |
|After cleaning up the threat, it comes back (the same item is re-detected). ||The malware is being transferred to the computer when it connects to the local network or internet. Or an undetected item of malware reloads the detected item on reboot. ||Initially you should isolate the computer by disabling Wi-Fi and/or removing the network cable, re-scan the computer, cleanup etc., then reboot while the computer is not connected to the network - this shows if the malware is coming from a network source or not. If the detection only occurs when connected to the network refer to the SMART process which uses the Sophos Source Of Infection (SOI) tool to reveal where network detections originate from. |
If your problem isn't listed in the table above let us know in the article feedback box. Provide as much detail as you can and we'll endeavor to update this article. Note: We cannot reply to individual support requests from the article feedback form. If you need further support contact us and for more advice on removing problematic malware files see article 14443.