We recently had a false positive from CryptoGuard and were unsure whether to exclude it via Detection ID or filename+filepath.
What details actually make up a Detection ID? We installed two versions of the software and although the exe file that caused the problem were different (different CRC, different version number), they both had the same Detection ID, so clearly the actual contents of the file don't go into the Detection ID. Is a Detection ID specific to a PC or is it the same on other PCs?
Is there any difference between excluding via Detection ID or filename+filepath?
Also, we opened a case with the full details including SDU submission. The initial response just told me how to exclude a false positive. Does Sophos actually look at the SDU information I submitted to prevent this false positive in the future or was I just wasting my time getting all the info?
Thank you for reaching us, to fully understand the FP that you're getting I recommend you to submit a sample submission to your sample submission portal. Indicate on the description that…
Thank you for reaching us, to fully understand the FP that you're getting I recommend you to submit a sample submission to your sample submission portal. Indicate on the description that this is a false positive detection and share the detection ID that you're getting for the said file.
For your question about what makes up a detection ID. This is a collection of data that our lab team maintained. It’ll trigger a certain detection ID when the file/dll.exe meets the criteria of the certain detection ID that was been detected by our endpoint product It doesn't matter if it was the new version of the file of the later one.
For your question about the difference between the two exclusions, putting exclusion via detection ID will make an exclusion for the entire system so if ever there’s a different file triggering the same exclusion as the one you previously provided the exclusions it will no longer detect the said file. while putting filename+filepath exclusion only performs exclusion to the certain filename/file path that you specified on your exclusion policy.
For your third query regarding the submission of SDU, we have a standard process that we follow before we require an SDU so submitting an SDU for a detection issue may not help much for the Sophos Support team since this can only be handled by our lab's team. That is also the reason why we provide initial documentation on how to exclude false-positive documentation. If you are certain that this is a false positive and the application is trusted, then you can proceed with adding an exclusion to it and if not then we would suggest submitting a sample submission request to our lab's team in order for them to validate the file reputation. Let us know if you have more queries related to this one.
Thanks for the detailed reply.
We had excluded by Detection ID but having read your description of the difference between the two, we have changed it to a File exclusion as we only want it to apply to this one particular file rather than the type of detection generally.
You're always welcome :) If you have more queries related to our product please feel free to reach us anytime.