Sophos Intercept X: How to exclude applications from Exploit Mitigation functionality

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This article describes how to exclude an application from Exploit mitigations on the below platforms:

  • Sophos Central (managing Sophos Intercept X)
  • Sophos Enterprise Console (managing Sophos Exploit Prevention)

We will cover how to exclude 'known' applications (applications that the Sophos Endpoint detects as installed business applications) and 'unknown' applications (applications that are not categorised by the Sophos Endpoint as business applications but may still require exclusion). 

Please note: Sophos does not suggest excluding any applications from any of our protection methods unless the application is fully trusted by the customer. Customers excluding applications do so at their own risk. 

For further information on exclusions methods for Cryptoguard please see this article.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos Central Admin
Enterprise Console 5.5.1
Central Endpoint Intercept X 2.0.14
Exploit Prevention
Central Server Intercept X 2.0.8

What to do

Sophos Central

Please note that Exploit Mitigation exclusions in Sophos Central are applied to your whole estate once they are saved.

Excluding an application after an exploit mitigation detection

This method can be used to exclude a particular application after a detection has been raised against it in Sophos Central:

  1. Locate the device in Sophos Central where the exploit was reported
  2. In the Recent Events list on the device you should see the exploit detection listed
  3. In the Event Details you should see the Application name and details as well as the detection type.  You will also see the 'Detection ID' which is a unique identifier for this detection:

  4. Under 'Allow by' you can choose from the below options depending on your requirement:
  • Detection ID (Most Secure)
    • This option will add an exclusion for the Detection ID associated with this particular detection.  If the exact same behaviour occurs again on your estate then this will not trigger a detection.
    • However anything that changes the behaviour in some way (different paths involved, different files involved, different application, etc) will change the Detection ID and will therefore require a separate exclusion
  • Mitigation: <Mitigation Name>
    • This option will stop the application listed from being monitored for the exploit mitigation listed
    • This, of course, increases the risk of a legitimate attack using a true exploit technique but can be useful in cases where certain business applications generate a large number of unexpected detections
  • Application: <Application Name>
    • This option will stop the entire application from being monitored for any exploit mitigations
    • This carries the most risk and therefore should only be used as a last resort.

5. After you have made your selection click 'Exclude' to save your changes.

6. The exclusion will now be in place

Excluding a 'known' application for a particular exploit mitigation

If a detection has not been raised for an application but it has been identified that a particular application needs to be excluded from a particular mitigation you can set this up in Sophos Central.

  1. Navigate to 'Global Settings' > 'Global Exclusions'
  2. Click 'Add Exclusion'
  3. Under 'Exclusion Type' select 'Exploit Mitigation (Windows)'.  You will be presented with the below window:
  4. In the list located the application you wish to apply the exclusion to
  5. In the bottom half of the window you will see a list of possible mitigation that you can disable for this application
    • If a mitigation is greyed out this is because the mitigation is not valid or supported for the category of application you have selected



  6. Deselect the mitigation(s) that you wish to disable for this application and then click 'Add'
  7. Click 'Save' to record your changes
  8. Your exclusions will now be applied

Excluding a 'known' application completely from Exploit Protection

This method is useful if you have an application that either reports a large number of unexpected exploit mitigation detections or suffers from performance issues when the exploit mitigation functionality is active.

  1. Navigate to 'Global Settings' > 'Global Exclusions'
  2. Click 'Add Exclusion'
  3. Under 'Exclusion Type' select 'Exploit Mitigation (Windows)'.  You will be presented with the below window:
  4. In the list located the application you wish to apply the exclusion to
  5. In the bottom half of the window you will see a list of possible mitigation that you can disable for this application

  6. Deselect 'Protect Application' and then click 'Add'
  7. Click 'Save' to record your changes
  8. Your exclusions will now be applied

Excluding an 'unknown' application

This method is useful if you have a business application that is not categorised by the Sophos Endpoint as a common business application but still suffers from issues when the Exploit Mitigation functionality is enabled.

  1. Navigate to 'Global Settings' > 'Global Exclusions'
  2. Click 'Add Exclusion'
  3. Under 'Exclusion Type' select 'Exploit Mitigation (Windows)'.  You will be presented with the below window:
  4. Click 'Application not listed?'. 
  5. In the bottom half of the window enter the full path to the application that you wish to exclude and de-select 'Protect Application':
  6. Click 'Add' and then 'Save' to apply your exclusion
  7. Your application should now be excluded

Related information

Feedback and contact

Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your idea!



Updated disclaimer
[edited by: Qoosh at 10:04 PM (GMT -7) on 31 Mar 2023]