Add SHA-265 of file to exclusions

Question

I'm having trouble performing a pretty basic function. How do I add an exe file's SHA-256 to my exclusions? So far I've only seen how to add file paths. 
 And the Windows Hash Exclusions just seems to be for excluding file paths from Sophos journaling & Live Discover. 
 I've also already done the "Details Exclusion" from the devices events. But that just excludes a Detection ID, which changes on different devices and file paths.

Rutvik Chavda · Accepted Answer

Hello mowens, 
 Apologies for any earlier confusion. 
 Sophos Central does not currently support excluding (whitelisting) files from detection or blocking by specifying their SHA-256 hash in the standard Exclusions section. The Windows Hash Exclusion feature is only intended to prevent Sophos from generating and uploading hash values for specified files or folders to the Sophos Data Lake and event journals. This feature does not prevent those files from being scanned, detected, or blocked by Sophos Endpoint Protection. 
 Supported Exclusion Methods: If you want to completely prevent a file from being blocked or detected, use one of these supported exclusion methods: 
 File or Folder Path Exclusion: Add the file or folder's full path to the exclusions list in Sophos Central. This is the standard and recommended approach for excluding files from real-time scanning and detection. 
 Certificate-Based Exclusion: If the application is digitally signed, you can exclude all files signed by a specific certificate. This method allows all versions of a trusted, signed application. 
 Detection ID Exclusion: This method excludes a specific detection event by its Detection ID. However, Detection IDs are unique to each event and device, so this exclusion isn&rsquo;t persistent or scalable across multiple systems or file paths. 
 Important Notes: SHA-256 hash-based exclusions for allowing (whitelisting) files aren&rsquo;t supported in Sophos Central. 
 SHA-256 hashes can be used to block applications (by adding them to the Blocked Items list), but not to allow or exclude them from scanning or detection. 
 The &ldquo;Hashing exclusion&rdquo; option strictly controls what data is sent to Sophos for journaling and analytics, and does not affect endpoint protection or detection behaviour. 
 Always use file/folder paths or certificate exclusions for persistent, reliable exclusions. If you would like to see SHA-256 hash-based exclusions as a feature in the future, you can formally request this enhancement by contacting your Sophos account manager or partner. 
 Let me know if you need any further help.

Rutvik Chavda · Answer

Hello, 
 We appreciate your reaching out to the Sophos Community Forum. 
 Please refer to this information if that helps you. 
 Sophos Central does not support global allowlisting by SHA-256 hash in the standard exclusions section. This is a deliberate and security-driven decision, justified by several operational and technical factors: 
 1. Security and Threat Evasion Risk Globally allowlisting by SHA-256 would mean any file with a matching hash would circumvent security controls, regardless of origin or method of introduction. 
 This approach could be exploited; threat actors may use a compromised or reused hash to bypass protections across the environment. 
 Modern malware is frequently polymorphic, allowing by static hash introduces significant operational risk if hashes are manipulated or reused. 
 2. Operational Management and Scalability Applications update regularly, generating new hashes with each change. Attempting to maintain an accurate global allowlist of all legitimate hashes is operationally impractical and error-prone. 
 In contrast, exclusions by path or certificate scale more effectively and are easier for security and compliance teams to review and audit. 
 3. Contextual and Auditable Policy Enforcement Allowlisting by file path or certificate provides rich context, identifying not just what is trusted, but also where it resides or who published it. 
 This approach reduces the risk of unintentionally allowing unauthorised or altered files and greatly improves incident response and compliance visibility. 
 4. Industry and Product Alignment Sophos&rsquo;s exclusion philosophy aligns with industry standards, which favour path and signature-based policies for operational efficiency and security assurance. 
 SHA-256 blocking remains supported (via the Blocked Items list), as hash-based blocking is highly precise. However, allowing hash globally is avoided due to its indiscriminate and risky nature. 
 5. Sophos Central Implementation SHA-256 allowlisting is only supported in event-driven workflows, that is, after a detection event. Administrators may then explicitly allow a specific hash for that instance, ensuring these exceptions are deliberate and auditable. 
 There is currently no global or proactive allow-by-hash policy option for files before detection. 
 This design ensures endpoint integrity, reduces attack surface, and supports operational best practices appropriate for technically advanced environments. 
 
 Let me know if you need any further help.

Add SHA-265 of file to exclusions

Top Replies