1.The purpose of the article
In this article techbast will guide you how to delete Alerts in the Quarantine queue on Sophos Central.
Suppose you have a computer with Sophos Endpoint installed, on this computer there is a rar file and Sophos has scanned this file and detect this file may be a virus file and changes the state of the computer from green to yellow.
However, when you visit Sophos Central to check, there are not any Alerts listed and the status of the computer is yellow with the message at Security Health that there is Malware or PUA waiting for Quarantine. .
Usually to handle this problem we will have 2 ways:
One is that we identify this file as a virus file and delete them on the computer.
Second, we determine this is not a file containing a virus and in the Alert section on Sophos Central we will select Mark As Resolved at this Alert.
So if the status of the computer is still yellow and there is no notification in the Alert section for us to Mark As Resolved, how will we fix it?
In this article techbast will guide you to delete the message hidden in this quanrantine and return the status of the device to green.
To fix the first error we need to go to the computer that is having the error, turn off Tamper Protection.
To turn it off, log in to the Sophos Central account with admin rights.
Then go to Device > left click on the device that is having problems > At the Summary tab, left click on Disable Tamper Protection.
Next we need to turn off the Sophos Health Service service.
To turn it off, we need to go to Services > Find the Sophos Health Service service > right-click and select Stop.
Note: to turn off we need admin rights.
Next, access the path C:\ProgramData\Sophos\Health\Event Store\Database\events.db to delete or edit the events.db file again.
Once done, we will restart the Sophos Health Service and re-enable Tamper Protection.
And you will see that the status of the computer will turn green and there will be no more error messages.