Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 14 subscribers
  • Views 13355 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exploit Mitigation Exclusions as a policy

Danie de Jager

Won't it be possible to create "Exploit Mitigation Exclusions" as a policy specific to users or endpoints? Currently it is a global setting. I have only one user that needs to have access to "Java(TM) Web Launcher" but now I have to disable this check for all my users. It would be more secure if I could do this more granular. I have the same concern with Tamper protection it is also all or nothing setting.

Thanks for your consideration.



This thread was automatically locked due to age.
Parents
  • 0

    I hear you!  I too would like to see the Policy section have an area for the exclusions and tamper protection provided.  This would need to be a feature request for now...

    However.

    You say you only have one user who needs access to the Java Web Launcher, why would setting a per user Exploit Mitigation Exclusion be best here?  Does Intercept X interfere (essentially creating a false positive) with a specific Java application you have?

    If this is not the case, why don't you look into the Application Control policy element and block Java RTE for everyone, but have a higher ranked policy which doesn't block Java run time and associate only that user who needs it.

    As for Tamper Protection, I firmly believe the global on/off toggle with a Per computer password and ability to disable at that level is preferable.  With previous versions of on-premises Enterprise Console, I typically witnessed many computers being forgotten about and having no tamper protection as a policy was unset and then applied to all computers.  This in turn greatly increases risk.  As such, if someone needs to disable a setting on Sophos Endpoint, I'd be first asking why...  we shouldn't need to if absolutely necessary, but it can be done 'remotely'..

    ==

    When in doubt, Script it out.

  • 0 in reply to AzRoN

    Thanks. As I'm still new to Sophos Central I'm not exactly sure how Intercept X differs in action to the base Sophos AV but I had to disable that exploit for the user to be able to open the JavaWeb Launcher app. It is software published by our Bank. Won't it be a different type of policy to allow the Application as that is another module of Sophos and not the base AV?

    The event log entry I get is:

    'BlockedProcess' exploit prevented in Java(TM) Web Launcher

  • 0 in reply to Danie de Jager

    If you're only using Intercept X then I assume this is an unwanted detection.  I strongly suggest you contact Sophos Support and provide details on the bank you use and information on the alert details.

    ==

    When in doubt, Script it out.

Reply Children
No Data
Unfiltered HTML