Issue
Sophos Central web console reports a PC with medium severity alert "Malware or potentially unwanted applications in quarantine". The potentially unwanted application (PUA) in question has been since added to the global Sophos whitelist is no longer triggering any new alerts. However, this particular alert got stuck and can not be cleared using normal methods.
Resolution
- On Sophos Central Console disable Tamper Protection for the PC in question.
- On the PC stop "Sophos Health Service".
- Delete (or rename) file: C:\ProgramData\Sophos\Health\Event Store\Database\events.db
- Start "Sophos Health Service".
- On Sophos Central Console re-enable Tamper Protection.
March 2019
Sophos Central Console
Sophos Endpoint Protection
