Hi, We have a Sophos Intercept-X user that has problems running End of Month reports via Excel in a certain CRM application. He is the only user requiring this functionality. We have tracked the issue down to being a .XLL (I assume that is an Excel Addin DLL). This .XLL file is stored on a file server (that stores the CRM system). I think that the .XLL file is being flagged by Sophos under this Policy: Prevent DLLs loading from untrusted folders . This protects against loading DLL files from untrusted folders. Is there a way that I can exclude this one .XLL file from the above policy? Just in case, is there a way I can do this for the whole folder? I think that some of the problem is that the .XLL isn't signed. If we cannot exclude them, is there a way to trust the files so the above policy won't apply? Thanks for your help Regards Mike

Threat Protection - how to trust a file?

Hi,

We have a Sophos Intercept-X user that has problems running End of Month reports via Excel in a certain CRM application. He is the only user requiring this functionality.

We have tracked the issue down to being a .XLL (I assume that is an Excel Addin DLL). This .XLL file is stored on a file server (that stores the CRM system).

I think that the .XLL file is being flagged by Sophos under this Policy:

Prevent DLLs loading from untrusted folders. This protects against loading DLL files from untrusted folders.

Is there a way that I can exclude this one .XLL file from the above policy? Just in case, is there a way I can do this for the whole folder?

I think that some of the problem is that the .XLL isn't signed. If we cannot exclude them, is there a way to trust the files so the above policy won't apply?

Thanks for your help

Regards

Mike

Added tags
[edited by: GlennSen at 2:44 PM (GMT -7) on 3 Oct 2024]

Parents

0 Sophos User930 2 months ago

Hello, The details of the Event ID 911 in the Application event log will provide a little more detail and context. Do you see an event for each time this happens?

Are any of the thumbprints at the bottom in a given event log the same as the others? i wonder if you can exclude it via a thumbprint? Do any of them stay the same?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Sophos User930 2 months ago

Hello, The details of the Event ID 911 in the Application event log will provide a little more detail and context. Do you see an event for each time this happens?

Are any of the thumbprints at the bottom in a given event log the same as the others? i wonder if you can exclude it via a thumbprint? Do any of them stay the same?
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

0 Michael Wallis 1 month ago in reply to Sophos User930

Hi,

I will have to check again, but I think the answer is yes, the thumbprint is consistent. The only issue I can see is if the file is updated, we will have to get the new thumbprint and add that as an exclusion.

The bit I dont quite get is the Sophos explanation of the setting:

Michael Wallis said:
This protects against loading DLL files from untrusted folders.

From what I understand local folders (on your computer) are trusted, not sure about removable devices like USB sticks. Whereas remote folders (could be servers, websites, etc) are not trusted.
If this is the case, is there a way you can "trust a remote folder"? Or, is that the same as an exclusion?

Thanks

Mike
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel