Endpoint Protection not applying global exclusions

Also forgot to mention, I tried excluding the Excel app entirely from exploit detection, as well as adding the exclusion by path to the excel.exe file, and neither worked. Almost liket the client isn't grabbing the updated exclusions list.

Thank you for reaching the community Forum.

There’s a high chance that this detection's thumbprint keeps changing. That's why you keep getting this detection. 
Can you try installing the hotfix on one problematic device and tell us the outcome? 

You can refer to this article for the steps on how to install the hotfix 

Morning Glenn,

I just tried the updated hotfix and it didn't help. Looking at the release notes my issue sounds similar to WINEP-38405 "Resolved an issue where we couldn't exclude some applications from lockdown mitigation by adding a new thumbprint type." except in my case this is "StackExec (MemProt)" mitigation causing the issue.

I am aware the detection ID does change for this particular issue, and we've added each new detection ID as it changes. Normally I just find the updated detection in Sophos central, add the exclusion by detection ID and things work fine. That's what didn't happen last night, the added exclusion never applied to tested clients despite being listed.

Last night for testing I also excluded excel from StackExec mitigation, by adding a global exclusion for excel and making sure StakExec (MemProt) was greyed out so disabled. I even tried excluding Excel from any mitigations (greyed out Protect Application), still didn't take.

As an aside, I've tried to login to the support portal to open a ticket but I'm one of those unlucky folks who's registered (have the email saying I am) but when I go to login, the portal punts me back to the registration form, which if I fill out, says I'm already approved so please login in.

I've reached out to you via PM to follow up. 

I suggest checking the following registry key as well on one of the local devices to see if you're able to find the thumbprint you've tried excluding. 
- HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert
- WhiteThumbprints

Hi Kushal,

Thanks for the followup. I did look into the registry where you suggested I look and I do see all the Thumbprints listed that match the excluded detections.

I also poked around in HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_policy_ which mentions excel.exe specifically. It contains over a dozen keys which refer to various versions of Excel, including $programfiles\Microsoft Office\root\Office16\EXCEL.EXE

Those all reference a specific subfolder in here: HKEY_LOCAL_MACHINE\SOFTWARE\HitmanPro.Alert\_profiles_ and when I look at the key's inside that profile, StackExec has a value of 0, suggesting StackExec mitigation should be disabled for Excel. It also references a Template called Office which has the same key's as the above profile, only difference being that StackExec is a 1 so assuming it's on.

So from the looks of the registry it should be excluding the specific Detecion IDs/signatures I excluded, but also excluding Excel from StackExec mitigations, both of which should keep Intercept X from stopping excel due to a StackExec violation when loading spreadhseets with this add-in enabled.

Could I have you test running the following command with a new installer package on one of the devices which continues to experience these issues? 
SophosSetup.exe --registeronly

I already tried (at Support's Direction) using SophosZap to cleanout the client on my machine and that did seem to work. I'll give --registeronly a try on another workstation next week when I'm back in the office as re-running the installer is certainly easier & faster then uninstalling using SophosZap.

TheDrew2022  Are you able to share what Excel Add-in you're using that caused this? We are using Sage Office Connector and having this issue a lot.