Is it possible to change this default behaviour ?
On https://support.sophos.com/support/s/article/KB-000036287?language=en_US is
Note: The computer will automatically be unblocked after 8 hours if the Sophos Central Administrator takes no action to prevent a potentially valid application from being blocked indefinitely. If the remote attack re-occurs, it will be blocked again.
Thank you for reaching out to the Sophos Community.
There has recently been an EAP announced that includes updates for InterceptX. - Intercept X updates in the Early Access Program
The EAP announcement details the ability to change the options from "Isolate" to "Terminate Process." Let me know if this is the functionality you were looking for.
Hi Kushal, I see this functionality : This setting only applies to servers you add to the New Server Protection Features EAP. Join the EAP now
But I don't know meaning of this items
Terminate process - block process, but CryptoGuard unblocked process C:\Users...... after 8 hours without adminstrator's action
Isolate process - what happends after 8 hour without adminstrator's action?
I was able to get some clarification on this point. It looks like the options to change "Isolate vs Terminate" will only be relevant for Local Cryptoguard detections.
Remote Cryptoguard detections will continue following the same behavior in blocking the IP for a period of 8 hours. It looks like it’s not possible to change this.