Exclude Behavior from Monitoring

Question

We have a print driver that does PDF conversion of your document then uploads to our printshop. Every time someone on a Windows computer uses this driver it is opening an investigation. When I look at the investigation I can see that the print spooler is calling cmd.exe which is then executing the command to generate and upload the pdf. So far I have not found a good way to setup an exclusion for this behavior. I don't want to exclude print spooler or all of cmd.exe, only when a specific command is run. Does anyone know if there is a way to do this? I am pretty new to XDR so I'm probably just missing something.

This thread was automatically locked due to age.

Qoosh · Answer

Hi rfrutiger , 
 Thanks for reaching out to the Sophos Community Forum. 
 It is not currently possible to exclude items or processes from generating Threat Graphs in Sophos Central. 
 Threat Graphs are intended to be a supplementary information source for when you have a legitimate threat or detection generated on your environment. 
 Based on the behavioural monitoring that Sophos utilizes, Threat Graphs will be created based on the nature of operations that are observed on your devices, though this does not always mean that an active threat is present. If you were to see a legitimate detection generated on a device, followed by a related threat graph, you could yield additional information from it. If you're using a known good application which your organization utilizes regularly, the related threat graph can be ignored. 
 In your specific situation, the threat graph creation is likely due to the actions your print driver performs, in launching CMD to execute a command.

Exclude Behavior from Monitoring

Top Replies