Threat Protection - how to trust a file?

Hi,

We have a Sophos Intercept-X user that has problems running End of Month reports via Excel in a certain CRM application. He is the only user requiring this functionality.

We have tracked the issue down to being a .XLL (I assume that is an Excel Addin DLL). This .XLL file is stored on a file server (that stores the CRM system).

I think that the .XLL file is being flagged by Sophos under this Policy:

  • Prevent DLLs loading from untrusted folders. This protects against loading DLL files from untrusted folders.

Is there a way that I can exclude this one .XLL file from the above policy? Just in case, is there a way I can do this for the whole folder?

I think that some of the problem is that the .XLL isn't signed. If we cannot exclude them, is there a way to trust the files so the above policy won't apply?

Thanks for your help

Regards

Mike

  



Added tags
[edited by: GlennSen at 2:44 PM (GMT -7) on 3 Oct 2024]
Parents
  • Hello, The details of the Event ID 911 in the Application event log will provide a little more detail and context. Do you see an event for each time this happens?

    Are any of the thumbprints at the bottom in a given event log the same as the others? i wonder if you can exclude it via a thumbprint? Do any of them stay the same?

  • Hi,

    I will have to check again, but I think the answer is yes, the thumbprint is consistent. The only issue I can see is if the file is updated, we will have to get the new thumbprint and add that as an exclusion.

    The bit I dont quite get is the Sophos explanation of the setting:

    This protects against loading DLL files from untrusted folders.

    From what I understand local folders (on your computer) are trusted, not sure about removable devices like USB sticks. Whereas remote folders (could be servers, websites, etc) are not trusted.
    If this is the case, is there a way you can "trust a remote folder"? Or, is that the same as an exclusion?

    Thanks

    Mike

Reply
  • Hi,

    I will have to check again, but I think the answer is yes, the thumbprint is consistent. The only issue I can see is if the file is updated, we will have to get the new thumbprint and add that as an exclusion.

    The bit I dont quite get is the Sophos explanation of the setting:

    This protects against loading DLL files from untrusted folders.

    From what I understand local folders (on your computer) are trusted, not sure about removable devices like USB sticks. Whereas remote folders (could be servers, websites, etc) are not trusted.
    If this is the case, is there a way you can "trust a remote folder"? Or, is that the same as an exclusion?

    Thanks

    Mike

Children
No Data