Enterprise Console/Manager: removing viruses over a network

  • Article ID: 12425
  • Rating:
  • 2 customers rated this article 4.5 out of 6
  • Updated: 29 Jul 2014

In Enterprise Console virus disinfection and removal actions are implemented by group or by individual computer. The presence of a virus, Trojan, worm, spyware, or other threat, will be indicated by a report in the Alerts column of Enterprise Console.

Other articles on malware removal:

Applies to the following Sophos product(s) and version(s)

Enterprise Console

What To Do

1. Assessing the problem

Before removing viruses, and other threats, you should determine if they can,

  • make changes to the setup of your computers, or documents on them
  • spread internally via shares on your network
  • take administrator rights, or otherwise damage your network.

From Enterprise Console find out what items are present on a computer as follows:

  1. Right-click the computer name.
  2. Select 'View computer details'.
  3. Scroll down to 'Items detected' (or 'Viruses detected').
    • The 'Type' (or 'Virus name') column lists the names of the items found.
    • The 'Details' (or 'Infected file') column lists where the items are on the computer.
  4. Click the name of the item to read its description on the Sophos website.

The description gives information on how the virus, or other program, spreads and what it does.

2. Minor outbreak

You can deal with a minor outbreak from the console using a full system scan with Enterprise Console and Sophos Anti-Virus for Windows 2000+.

If a few computers are affected, do as follows:

  1. Open the console.
  2. Select the affected computers or groups (hold down the 'Ctrl' key while selecting).
  3. Right-click your selected items.
  4. Click 'Full system scan'.
  5. Click 'OK' to start the scan. The scan may take some time to complete.
  6. When the scan has finished, right-click your selected items again.
  7. Click 'Clean up detected items'.
  8. Select the viruses, etc., that you want to clean up.
  9. Click 'OK' to start cleanup.
  10. After a short interval, check the affected computers again in the console (right-click and select 'View computer details').
    • If the number of affected computers is steadily increasing, go to section 3 'Preventing further infection', and treat the incident as a major outbreak.
    • Otherwise, deal with other remnants of the outbreak.
  11. If not all items have been cleaned up first time (e.g. not all components were found), you may need to run a second full system scan of affected computers, and repeat cleanup.
  12. Occasionally you might have to deal with remaining items at the local computer.
  13. To remove any outstanding alerts (e.g. viruses reported in shares on other computers), right-click the computer in the console, select 'Acknowledge alerts and errors', select any unwanted outstanding alerts, and click 'OK' to clear them.

This should clear a minor outbreak.

Note: Automatic virus disinfection will disinfect documents with macro viruses along with the program viruses. Some macro viruses alter the information in documents. Check to see if this might happen in the virus analysis, and replace any affected documents from backups after disinfection.

To deal with a major outbreak, use the instructions in the following sections.

3. Preventing further infection

  • Network shares
    If a virus that spreads across network shares is reported in anything other than an email or internet cache folder, enable on-write scanning until you are sure that the virus is not spreading internally.

Where possible, now repeat the full system scan on affected computers (see section 2).

Reverse these changes to your anti-virus policy after the outbreak. The additional checking that these options involve can slow your network, and is not necessary in normal circumstances.

Note: Automatic virus disinfection will disinfect documents with macro viruses along with the program viruses. Some macro viruses alter the information in documents. Check to see if this might happen in the virus analysis, and replace any affected documents from backups after disinfection.

4. Problems to deal with locally

Some worms and viruses change computer operating systems so that if the virus is removed without these changes being reversed, the computer can no longer be used. Sophos Anti-Virus for Windows 2000+ can disinfect most of these threats successfully via Enterprise Console/Manager.

  • Check if the recovery instructions in the virus analysis say that the virus can be disinfected using Sophos Anti-Virus for Windows 2000+ version 6 and above.
  • Check the date in the virus analysis field 'Protection available since'. Is it earlier than June 2006?

If either of the above is true, you can disinfect a computers running Sophos Anti-Virus for Windows  from Enterprise Console. Otherwise, disinfect them locally.

5. Removing viruses with older versions of Enterprise Console or Sophos Anti-Virus


  • You should rarely need to use these instructions with the current versions of Sophos Anti-Virus for Windows. In most cases, careful use of a full system scan with cleanup from Enterprise Console should be adequate.
  • You may need to take further measures if you are still running an earlier version of Sophos Anti-Virus, or on other operating systems. Check the threat analysis for details.

Where possible, viruses should be disinfected, although in the longer term it is safer to replace the repaired files from backups. Trojan and worm files, and virus-infected files that cannot be repaired, should be removed.

  • Some viruses can infect a file multiple times. Ensure that you do not set the console to delete files that could have been disinfected.

You will need to temporarily move your infected computers into a special 'Disinfect' group. Do either of the following:

  • Create this group in the root of the console tree.
  • Create this group as a sub-folder of an existing group.

Which you choose to do will depend on the size of your network.

Then you should set up a specialized disinfection Anti-virus policy (or policies) for your new 'Disinfect' group.

To create the specialized policy, edit a copy of your current Anti-virus policy, and set a scheduled scan of your infected computers:

A. Establishing the policy and scan settings

  1. Creating the policy
    Open Enterprise Console.
    To create the new policy, do as follows.
    • In the Policies pane, right-click your current Anti-virus policy.
    • Select 'Duplicate policy'.
    • Call the policy 'Disinfect'.
    • Right-click your new Disinfect policy.
    • Select 'View/Edit policy'.
    • Click 'On-access'.
    • Check that in the 'On-access behaviour' box, all three options (On read, On write, On rename) are selected.
    • Click the Cleanup tab.
    • Select 'Automatically clean up items that contain a virus'.
    • Check that the 'Do nothing' radio button is selected. (You will delete or move files with a scheduled scan.)
    • Click 'OK'.
  2. Setting a scan
    Then establish the scheduled scan (or scans).
    • In the 'Anti-virus policy Disinfect' dialog, in the 'Scheduled scanning' area of the dialog box, click 'Add'.
    • Give the scan a name, e.g. 'Disinfect', and select a time in the near future.
    • Click 'Configure' to change the scanning and disinfection settings.
    • Click the Cleanup tab.
    • Select your disinfection options.
      • To disinfect files, use 'Automatically clean up items that contain a virus'
      • To remove files, select 'Delete'.
    • Click 'OK' three times to confirm your scheduled scan, and your Anti-virus policy.


  • For some outbreaks, you might need to run several scheduled scans. Early ones will disinfect files, and later ones will remove any remaining infected files. You can prepare different named scans (e.g. 'Disinfect', 'Delete') for this.
  • If you used the 'Delete' option, files will be automatically deleted. You are not given a chance to confirm.
  • All computers running the policy will be included in the scheduled scan.
  • If you have numbers of multiply infected files, you may need to run several disinfection scans before running a scan to delete the remaining files.
  • Files that are locked by the operating system of an infected computer cannot be removed remotely.
  • Computers may need to be rebooted for disinfection to complete.
  • Removal will only be visible in Enterprise Console. The workstation user will see nothing.

Plan your scan accordingly.

B. Running the scan

Now run your scan.

  1. Apply the policy to your new group(s).
  2. Move your infected computers into the new group. The scheduled scan will start at the appointed time.
  3. When the scan has finished, check the computers for any remaining infected files, and for any files that should be replaced from backup.
    • Right-click the computer and select 'View computer details'.
    • Scroll down the log.
    • Any remaining virus reports are listed in bold type.
      • If the virus is on the computer involved, deal with it locally.
      • If the virus is reported from another computer, deal with it on that computer.
  4. When all viruses have been removed, reapply your old Anti-virus policy to your users and groups.

C. After disinfection

After you have removed the viruses, clear the remaining alerts.

  1. Right-click the computer and select 'Clear alerts'.
  2. In the 'Virus alerts' tab, clear all incidents you have dealt with.
  3. Unsuccessful removal attempts (e.g. on remote computers) will be listed in the 'Sophos Anti-Virus errors' tab. Clear them where appropriate.

You should now have no remaining virus or error alerts in the console.

Move your computers back to their original groups.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent