How to resolve 'Malware not cleaned up' alerts in Sophos Central Admin

  • Article ID: 119264
  • Rating:
  • 1 customers rated this article 2.0 out of 6
  • Updated: 14 Apr 2016

This article explains what to do next if there are alerts in the Sophos Central Admin or you receive emails regarding 'Malware not cleaned up'.

By default the policy applied to the endpoint will include "Automatically clean up items that contain virus/spyware" therefore if there are any detections which have been unsuccessfully cleaned up further actions are required on the endpoint(s). 

Applies to the following Sophos product(s)
Sophos Cloud Managed Endpoint
Sophos Cloud

What To Do

Identify affected endpoint(s)

  1. Within Sophos Central Admin identify the endpoint(s) affected with 'Malware not cleaned up' alert(s).
  2. Alternatively navigate to the 'Logs & Reports' section and select 'Events' for more information.
  3. Either remotely connect or visit the endpoint(s) affected and follow the steps below to assist with cleanup of the infection on the endpoint(s):

To remove malware on the affected computer:

  1. Go to Start | Programs | Sophos | Sophos Endpoint Security and Control and run the 'Sophos Endpoint Security and Control' program.
  2. Click on 'Manage quarantine items'.
  3. In the Quarantine Manager, click the 'Available actions' column header to sort the list of threats according to the action available.
  4. For the following results in the Actions column:
    1. Clean up
      • Select the items displaying this option and then click 'Perform action | Clean up'
    2. Full scan required
      • Click on 'Home' and then 'Scan my Computer' to initiate a scan
      • Once the scan has complete, return to the Quarantine Manager and then clean up the detected items as per the results shown in the Actions column.
    3. Partially removed. Reboot required to complete the cleanup
      • Select these items and then click 'Clear from List'
      • Click on 'Home' and then 'Scan my Computer' to initiate a scan
      • Once the scan has complete, return to the Quarantine Manager to deal with any remaining items.
      • If this appears a second time for the same items, please contact your IT administrator.
    4. Insufficient rights, please contact your administrator
    5. Delete, Move, Authorize
  5. If you have cleaned up all of the items, but are finding that they are returning to your computer, please contact your IT administrator.

Further assistance with malware infections and reinfections

If you encounter further issues from the steps above, Sophos recommend using the Sophos Malware Remediation Toolkit (SMaRT).
See the procedures described in the downloadable SMaRT User Guide pdf 




If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent