Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 6 replies
  • Subscribers 16 subscribers
  • Views 16881 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Whitelisting a program via Global Scanning Exclusions in Sophos Central?

Rich Billard

I have yet another program that Sophos is causing a false positive in cryptoguard.

Draftsight is the program.

If i add the exclusion in Global Scanning Exclusions under "File or Folder -Windows" using the path C:\Program Files\Dassault Systemes\DraftSight\bin\DraftSight.exe     and choose to be active for "Real Time and Scheduled"   should that keep Sophos from touching it at all?

 

 

thanks

 



This thread was automatically locked due to age.
  • 0

    Did you ever get this resolved?

    We're having the exact same issue and have done exactly as you mentioned above, however continue to receive the alert! (added both the file path and executable)

    I saw posts back from 2016, stating this was a "bug" and would be resolved in the next update/release, however appears this has yet to be resolved.

  • 0 in reply to James Dedrickson

    no, the Sophos whitelisting once something has shown up in their severely broken Cryptoguard, is visible and whitelistable, but still crashes draftsight.

  • 0 in reply to James Dedrickson

    Hello James Dedrickson,

    the Intercept X forum is perhaps the also a good place for this question.
    Anyway, CryptoGuard doesn't use the AV scanning engine and thus scanning exclusions don't apply. AFAIK you can't authorize a detection and excluding a process would defeat the purpose of CryptoGuard (think of process hijacking). I you haven't already done so please see also CryptoGuard detections and required actions (which includes a link on How to report false positives).

    Christian

  • 0 in reply to QC

    KB125439 explicitly says to "exclude the detected exploit either Globally or per Policy to prevent the detection." Is this not a way to exclude files from being caught by CryptoGuard?

  • 0 in reply to gdriggs

    Hello gdriggs,

    I have neither Central nor Intercept X, but when I see a me too to an unanswered question for a topic I'm not completely unfamiliar with I try to be of help and at least get the enquirer on the right track.
    You're right about 125439, but I'm not sure whether it's correct regarding a CryptoGuard detection as it says the detected exploit (emphasis mine). It might simply be unfortunate wording or it might be wrong. Nevertheless I'm pretty sure that File or folder exclusions do not apply. There's a short Detected Exploits (Windows) paragraph and iff(sic!) 125439 is correct then it's only by using the mentioned drop-down that you could exclude the ransomware FP. If it's not in the drop-down ... well, maybe it's me who's right.

    Christian

  • +1

    I received this from Sophos support, put into place and appears to be working thus far.  Please note, once select, "Detected Exploits (Windows)", you may need to scroll down the list if you have multiple entries, to find the one you want.

     

    "Please try excluding this application in the Central Admin by navigating to System Settings > Global Scanning Exclusions > Add Exclusions > Detected Exploits (Windows) and selecting the cryptoguard detection.

    This should exclude the application from being detected as ransomware."

     

     

    Thanks, Everyone!

     

    James

Unfiltered HTML