Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to exclude a process from data lake detections?

Good morning,

We use Faronics Deep Freeze in our environment on shared-use PCs in classrooms and computer labs. We are experimenting with turning on data lake uploads to start using the threat analysis center, and the Deep Freeze detections are very noisy for detection rule WIN-DET-T1490. We've only enabled data lake uploads on a few PCs like this, and I'd hate to imagine how cluttered the detections would be if we enable it on all shared-use PCs. 

We'd like to use the data lake / detections functionality on these PCs though, and we don't want to turn off this detection rule entirely in case there is an actual malicious actor that triggers the same kind of alert. Is there a way to explicitly exclude a process from this detection on our end? If not, is Sophos willing to look for a way to exclude detections on this one specific process? I have added the folder as a global exclusion in settings, and also excluded the DFServ.exe process by name as a process exclusion in global exclusions, but that doesn't appear to affect data lake detections.

For reference for any Sophos engineer who might see this and consider finding a way to exempt this process for customers, the full path to the file causing this issue is "C:\Program Files (x86)\Faronics\Deep Freeze\Install C-0\DFServ.exe" and it is using bcdedit.exe, which I believe is causing the actual detection.



This thread was automatically locked due to age.