Global folder exclusions and PUA's

We are rolling out Sophos on our servers.

One server holds the software repository with company software installers and a lot of tooling for us sysadmins.

As one can guess, Sophos detects several PUA's, like Nirsoft apps, TightVNC, a.s.o.

We and Sophos seem to have a disagreement in what is a PUA.

Now I excluded the drive:\path where those tool apps reside in a custom Threat protection policy and still I cannot access the files and new POA alerts are generated.
I did a lot of searching, but cannot confirm that PUA's and folder exclusions are two different things, what is seems to be.
Also, excluding a single PUA every time is not an option. So if I can't solve this, Sophos cannot run on that server.

I want Sophos to leave that drive:\folder alone and not detect anything.
The share is used by sysadmins and everything put there has already been scanned by clients.

How can I solve this?

Regards,

Han

  • Hi ,

    Thank you for reaching out to the Community. Generally, you’ll need to allow each of the PUA detections if you wish to allow those applications to run in your environment. More details on resolving PUAs in this article. You can also see what PUAs have been allowed under "Global Settings > Allowed Applications". On this page, you can choose to "Add apps by path", you may also try creating exclusions using wildcards or variables and see if it helps.


    Gladys Reyes
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Thanks Gladys,

    Adding each PUA by name would be an ongoing story on a volume where we keep all our software downloads, sysadmin tooling a.s.o. I would have to hire someone for that.
    Meanwhile I figured out that "Add apps by path" method, and I can access the so-called PUA's now with a file explorer.

    Still one challenge to go, the backup software seems to let Sophos know that a file is accessed as \Device\HarddiskVolumeShadowCopy28\Misc\...
    Excluding that path is not going to help, the next backup wil be HarddiskVolumeShadowCopy32 or so.
    So the already added allow application by path L:\Misc does not work.

    So I am testing with paths like \Device\*\Misc\ which didn't work, and now testing with \Device\*\Misc (without backslash).
    Next will be \Device\HarddiskVolumeShadowCopy??\Misc\

    Must find a way to let this work, otherwise Sophos is not going to run on that server.
    Regards,

    Han

  • Finally, the backup ran without PUA alerts.
    Unfortunately I ended adding two exclusions at once, so I don't know which one did the trick:
    File or folder exclusion: \Device\HarddiskVolumeShadowCopy??\Misc\
    Allowed application: \Device\HarddiskVolumeShadowCopy??\Misc\

    Problem solved.