This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclude Behavior from Monitoring

We have a print driver that does PDF conversion of your document then uploads to our printshop. Every time someone on a Windows computer uses this driver it is opening an investigation. When I look at the investigation I can see that the print spooler is calling cmd.exe which is then executing the command to generate and upload the pdf. So far I have not found a good way to setup an exclusion for this behavior. I don't want to exclude print spooler or all of cmd.exe, only when a specific command is run. Does anyone know if there is a way to do this? I am pretty new to XDR so I'm probably just missing something.



This thread was automatically locked due to age.
Parents
  • Hi rfrutiger,

    Thanks for reaching out to the Sophos Community Forum. 

    It is not currently possible to exclude items or processes from generating Threat Graphs in Sophos Central. 

    Threat Graphs are intended to be a supplementary information source for when you have a legitimate threat or detection generated on your environment. 

    Based on the behavioural monitoring that Sophos utilizes, Threat Graphs will be created based on the nature of operations that are observed on your devices, though this does not always mean that an active threat is present. If you were to see a legitimate detection generated on a device, followed by a related threat graph, you could yield additional information from it. If you're using a known good application which your organization utilizes regularly, the related threat graph can be ignored. 

    In your specific situation, the threat graph creation is likely due to the actions your print driver performs, in launching CMD to execute a command.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi rfrutiger,

    Thanks for reaching out to the Sophos Community Forum. 

    It is not currently possible to exclude items or processes from generating Threat Graphs in Sophos Central. 

    Threat Graphs are intended to be a supplementary information source for when you have a legitimate threat or detection generated on your environment. 

    Based on the behavioural monitoring that Sophos utilizes, Threat Graphs will be created based on the nature of operations that are observed on your devices, though this does not always mean that an active threat is present. If you were to see a legitimate detection generated on a device, followed by a related threat graph, you could yield additional information from it. If you're using a known good application which your organization utilizes regularly, the related threat graph can be ignored. 

    In your specific situation, the threat graph creation is likely due to the actions your print driver performs, in launching CMD to execute a command.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data