This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Endpoint Protection not applying global exclusions

Evening,

I recently came across an issue I can't figure out how to resolve.

We have an add-in for Excel that causes Sophos Endpoint to kill the program with a "StackExec" (MemProt) exploit prevented in Excel. Up until now we've just added the detection ID to the list of exclusions and it's worked fine. Within 2-3 minutes the clients stop reacting.

This evening I was told by staff the StackExec exploit is back so I added another detection ID exclusion but this time, my endpoint clients didn't pickup the exclusion. I did some testing, tried forcing the endpoint client to redownload policy per a KB from the self help tool. Didn't work.

The only way I could get the exploit prevention to not detect Excel as malicious was to temporarily turn off tamper protection and then disable exploit prevention. Obviously not a solution by any means, and we can't disable exploit prevention across the entire company just to satisfy the accounting team, so I need a fix as the add-in for excel ties into our accounting database and they need the tool to run reports.

As to when this started, we just noticed today after I went to add the exclusion.

Any help or insight is really welcome on this issue as I don't need my boss (IT Director) and the entire accounting team breathing down my neck wanting answers. And yes, we are waiting for the add-in dev to fix the thing but there's no eta of when that will happen.



This thread was automatically locked due to age.
Parents
  • Also forgot to mention, I tried excluding the Excel app entirely from exploit detection, as well as adding the exclusion by path to the excel.exe file, and neither worked. Almost liket the client isn't grabbing the updated exclusions list.

Reply
  • Also forgot to mention, I tried excluding the Excel app entirely from exploit detection, as well as adding the exclusion by path to the excel.exe file, and neither worked. Almost liket the client isn't grabbing the updated exclusions list.

Children
No Data