Exploit Mitigation Exclusions as a policy

I hear you!  I too would like to see the Policy section have an area for the exclusions and tamper protection provided.  This would need to be a feature request for now...

However.

You say you only have one user who needs access to the Java Web Launcher, why would setting a per user Exploit Mitigation Exclusion be best here?  Does Intercept X interfere (essentially creating a false positive) with a specific Java application you have?

If this is not the case, why don't you look into the Application Control policy element and block Java RTE for everyone, but have a higher ranked policy which doesn't block Java run time and associate only that user who needs it.

As for Tamper Protection, I firmly believe the global on/off toggle with a Per computer password and ability to disable at that level is preferable.  With previous versions of on-premises Enterprise Console, I typically witnessed many computers being forgotten about and having no tamper protection as a policy was unset and then applied to all computers.  This in turn greatly increases risk.  As such, if someone needs to disable a setting on Sophos Endpoint, I'd be first asking why...  we shouldn't need to if absolutely necessary, but it can be done 'remotely'..

I hear you!  I too would like to see the Policy section have an area for the exclusions and tamper protection provided.  This would need to be a feature request for now...

However.

You say you only have one user who needs access to the Java Web Launcher, why would setting a per user Exploit Mitigation Exclusion be best here?  Does Intercept X interfere (essentially creating a false positive) with a specific Java application you have?

If this is not the case, why don't you look into the Application Control policy element and block Java RTE for everyone, but have a higher ranked policy which doesn't block Java run time and associate only that user who needs it.

As for Tamper Protection, I firmly believe the global on/off toggle with a Per computer password and ability to disable at that level is preferable.  With previous versions of on-premises Enterprise Console, I typically witnessed many computers being forgotten about and having no tamper protection as a policy was unset and then applied to all computers.  This in turn greatly increases risk.  As such, if someone needs to disable a setting on Sophos Endpoint, I'd be first asking why...  we shouldn't need to if absolutely necessary, but it can be done 'remotely'..

Thanks. As I'm still new to Sophos Central I'm not exactly sure how Intercept X differs in action to the base Sophos AV but I had to disable that exploit for the user to be able to open the JavaWeb Launcher app. It is software published by our Bank. Won't it be a different type of policy to allow the Application as that is another module of Sophos and not the base AV?

The event log entry I get is:

'BlockedProcess' exploit prevented in Java(TM) Web Launcher

If you're only using Intercept X then I assume this is an unwanted detection.  I strongly suggest you contact Sophos Support and provide details on the bank you use and information on the alert details.