I've whitelisted PSEXEC and I've disabled all the modules for Sophos Endpoint but PSEXEC is still being removed as its recognised as a PUA. I've created a policy to whitelist this app on Central but nothing is applying.
Anyone know how to get around this?
Hi jt86,
Could you share a screenshot of the detection that was raised in Sophos Central, as well as the type of exclusion you've created to white-list this?
In some cases, rebooting your device after a detection has been raised may help. I'd suggest trying this, then disabling the scanning components to retry the download.
Could that be download reputation sending the file for scanning?
If you open up Endpoint Self Help - Enable Debug logging for IOfficeAV:
Relaunch the browser and reproduce the problem. Then check:
C:\ProgramData\Sophos\Endpoint Defense\Logs\Low\iofficeav.log
What do you see in there?
Here is what it see. It doesn't even have to be at download, it could be sitting there in a folder and it will be removed by Sophos. Here it says manual cleanup required but the file isn't there.
