Endpoint Detection Exclusion Query

Question

Hi Sophos, 
 
 We are receiving what we believe to be false positives with a piece of software at use in our ogranisation. 
 
 This software is triggering an event on the affected device for 'DynamicShellcode'. 
 
 I understand that I can go to this device's Events history, and 'Exclude this Detection ID from checking'. 
 
 I'd like to clarify what this means; does 'Detection ID' refer to this specific app on this specific device? Does adding this exception here, which adds it as a global exception, mean that all DynamicShellcode exploits are exempt from checks? 
 
 Thank you.

Gladys · Answer

Hi ptho , 
 Thank you for reaching out to the Sophos Community Forum. 
 Have you had a chance to read through the following document? This specific action is explained here. 
 Stop detecting an exploit 
 Exclude this Detection ID from checking. prevents this detection on this application. It adds an exclusion for the Detection ID associated with this specific detection. If the same behavior occurs again on your estate, this doesn't trigger a detection. However, if the behavior is different, for example different paths or files, the Detection ID is different and requires a separate exclusion. 
 I'd also suggest submitting the sample file to our SophosLabs so they can further analyze the application and apply modifications if needed. You can do this by going to our Sample Submissions Portal .