How to resolve 'Potentially unwanted application detected' alerts in Sophos Cloud

  • Article ID: 119631
  • Updated: 25 Sep 2014

This article explains how to authorize or cleanup 'Potentially Unwanted Applications' (PUAs) from Sophos Cloud.

Known to apply to the following Sophos product(s) and version(s)

Sophos Cloud Managed Endpoint
Sophos Cloud

What To Do

Within the Sophos Cloud identify the endpoint(s) showing the Potentially Unwanted Application alert(s).  Outstanding alerts will be shown in the Action Center.

Authorize application

  1. Within 'Policies' (found under 'Users & Devices'), identify the policy associated with user reporting the alert.
  2. To confirm which policy is applied, enter the name of the user in the search on the right-handside.
  3. Once confirmed, select the policy required and choose 'Edit'.
  4. Navigate through the wizard to the 'Malware scan performed' section for 'Define how malware, risky files and sites are scanned in the Additional Policy'.
  5. Select 'Scanning Exemptions'
  6. Within 'Exemption for:' choose 'Potentially Unwanted Application' from the list.
  7. Within 'Value' enter the name of the application and select 'Create'.
    Notes:
    • This is the name Sophos Labs attribute to the application.  You can consult the Sophos Labs page on PUAs in order to check the name or pro-actively authorize PUAs you may want.
    • The name is case insensitive.
  8. Continue through the wizard and select 'Save'.

To remove a PUA

From Sophos Cloud

  1. Highlight the PUA (Potentially Unwanted Application) items in the Action Center.
  2. Click on the 'Cleanup PUA' button at the bottom of the 'Action Center'. 

Note: The items selected will immediately be removed from the Action Center.  If there is a problem with cleanup or further actions are required a new entry in the Action Center will appear.  To confirm cleanup has been successful, the 'Events' report under 'Reports' can be checked. 

From the Computer

Note: Cleanup can only be run as an administrative user.

  1. Check the threat analysis for any special details on removal.
  2. On the affected endpoint close down all programs.
  3. Open Sophos Endpoint Security and Control:
    • Go to Start | All Programs | Sophos | Sophos Endpoint Security and Control | Sophos Endpoint Security and Control
  4. Click 'Scan my computer' to start a full system scan.
  5. At the end of the scan, click the link in 'Items passed to Quarantine' to open Quarantine manager.
  6. Select any items needing removal.
    • From the 'Perform action' dropdown, select 'Cleanup'.
    • Select 'Yes or 'Yes to all' to run cleanup.
  7. Any remaining items should be deleted.
    • From the 'Perform action' dropdown, select 'Delete'.
    • Select 'Yes or 'Yes to all' to delete files.
  8. Run another scan to ensure that the program(s) have been removed.
  9. If instructed during removal to reboot the computer, now do so.

If any problems are encountered during cleanup, click '[details]' and check for any error messages.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments