This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to exclude a process from data lake detections?

Good morning,

We use Faronics Deep Freeze in our environment on shared-use PCs in classrooms and computer labs. We are experimenting with turning on data lake uploads to start using the threat analysis center, and the Deep Freeze detections are very noisy for detection rule WIN-DET-T1490. We've only enabled data lake uploads on a few PCs like this, and I'd hate to imagine how cluttered the detections would be if we enable it on all shared-use PCs. 

We'd like to use the data lake / detections functionality on these PCs though, and we don't want to turn off this detection rule entirely in case there is an actual malicious actor that triggers the same kind of alert. Is there a way to explicitly exclude a process from this detection on our end? If not, is Sophos willing to look for a way to exclude detections on this one specific process? I have added the folder as a global exclusion in settings, and also excluded the DFServ.exe process by name as a process exclusion in global exclusions, but that doesn't appear to affect data lake detections.

For reference for any Sophos engineer who might see this and consider finding a way to exempt this process for customers, the full path to the file causing this issue is "C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\DFServ.exe" and it is using bcdedit.exe, which I believe is causing the actual detection.



This thread was automatically locked due to age.
Parents
  • Thank you for reaching out to the community forum.

    Can you share with us the screenshot of the detection that you're getting? Also, are you seeing any options to allow the said detection under alerts on Sophos central? 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Thank you for reaching out to the community forum.

    Can you share with us the screenshot of the detection that you're getting? Also, are you seeing any options to allow the said detection under alerts on Sophos central? 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children