Policy exclusion vs global exclusion. Both ways, exe´s deleted

Hi, maybe i´m setting something wrong, but i hope can you help me.

I made exclusions on threat protection in Policy Exclusions and Global Exclusions. I need to exclude folders that contains an ERP files.

Sophos detect false positives in that ERP files. Therefore the files are deleted.

I tried set first Policy Exclusions  and then the Global Exclusions but both of them doesn´t work in my Sophos Central.

Anyway the .exe filies are removing.

I share the screenshots with the configuration in Sophos Central.

I´ll be grateful if you help me.

Best Regards.

  • Hi Arturo,

    Thank you for raising this, What I can suggest to you here is to raise a Labs request through our sample submission portal if this file is a legitimate file that your organization uses to exclude this from being detected. Ensure to provide all necessary details like the file with the detection and its detection name. Share as well the description of this application and its file path. 

    GlennSen 
    Community Support Engineer | Sophos Technical Support
    Sophos Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello Arturo Carrillo,

    won't object to GlennSen's suggestion, on the contrary - submitting samples for (assumed) FPs both, if confirmed, assures that they are indeed FPs and eliminates the need for exclusions (potentially for other customers as well).

    As for exclusions (that are, as said, not the best choice of action): It's an ML detection and ML detections explained suggests to allow the application (if I understand correctly).
    Furthermore, might be my eyesight but as far as I can see the path in detection starts with X:\DominioM BI\ and this is not covered by the exclusions shown. This folder is excluded on C: only and the exclusion on X: starts with some other name. Or am I mistaken?

    Christian

  • Hi GlennSen

    My apologize for my late response.

    These files are legitimate. They are .exe that works in our ERP.  The ERP is named Dominiom BI.

    The executable files are developments by us.

    In these days as a choice i added the paths in allowed applications from global settings like this (C:\DominioM BI\*.exe). My common sense was add an asterisk before .exe aims to recognize all the executables in that folder.

    However sophos detects ML/PE and PUA´s in that path and begin clean that "threats".

    I´ll raise a Labs request this files as soon as possible because i cannot install sophos in this production server till solve this issue.

    Best regards.

  • Hello Christian

    I understand is not best practice add entire drives or folders to exclusions. It´s only an option that i made aims to exclude all the .exe´s as a threat.

     added the paths in allowed applications from global settings like (C:\DominioM BI\*.exe) to recognize all the internal executable files. But the diagnostics detects ML/PE and PUA´s and proceed to clean that threats.

    By internal proceses in the ERP we have files in C:\DominioM BI, X:\Prototipo TEC\ disk drive and C:\Program Files (x86)\DominioM\.

    They are different names so we need to exclude that three folders.

    I forgot X:\Dominiom BI_1\ but this folder doesn´t matter, i´ll remove that folder and start the diagnostic again.