Sophos Central alert stuck - Malware or potentially unwanted applications in quarantine


Sophos Central web console reports a PC with medium severity alert "Malware or potentially unwanted applications in quarantine". The potentially unwanted application (PUA) in question has been since added to the global Sophos whitelist is no longer triggering any new alerts. However, this particular alert got stuck and can not be cleared using normal methods.

Sophos Central Alert


  • On Sophos Central Console disable Tamper Protection for the PC in question.
  • On the PC stop "Sophos Health Service".
  • Delete (or rename) file: C:\ProgramData\Sophos\Health\Event Store\Database\events.db
  • Start "Sophos Health Service".
  • On Sophos Central Console re-enable Tamper Protection.

March 2019
Sophos Central Console
Sophos Endpoint Protection



Subscribe to receive occasional updates on new posts.
Your email will not be used for any other purpose and you can unsubscribe at any time.
Please wait