This article describes how to exclude an application from Exploit mitigations on the below platforms:
We will cover how to exclude 'known' applications (applications that the Sophos Endpoint detects as installed business applications) and 'unknown' applications (applications that are not categorised by the Sophos Endpoint as business applications but may still require exclusion).
Please note: Sophos does not suggest excluding any applications from any of our protection methods unless the application is fully trusted by the customer. Customers excluding applications do so at their own risk.
For further information on exclusions methods for Cryptoguard please see this article.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Central AdminEnterprise Console 5.5.1Central Endpoint Intercept X 2.0.14Exploit PreventionCentral Server Intercept X 2.0.8
Please note that Exploit Mitigation exclusions in Sophos Central are applied to your whole estate once they are saved.
This method can be used to exclude a particular application after a detection has been raised against it in Sophos Central:
If a detection has not been raised for an application but it has been identified that a particular application needs to be excluded from a particular mitigation you can set this up in Sophos Central.
This method is useful if you have an application that either reports a large number of unexpected exploit mitigation detections or suffers from performance issues when the exploit mitigation functionality is active.
This method is useful if you have a business application that is not categorised by the Sophos Endpoint as a common business application but still suffers from issues when the Exploit Mitigation functionality is enabled.
This method can be used to exclude a particular application in the Enterprise Console after a detection has been raised against it.
This method will add an exclusion for the Thumbprint associated with this particular detection. If the exact same behaviour occurs again on your estate then this will not trigger a detection.
However anything that changes the behaviour in some way (different paths involved, different files involved, different application, etc) will change the Thumbprint and will therefore require a separate exclusion.
This is also the only method of exclusion available to customers running Enterprise Console 5.5.0.
Currently within the Sophos Enterprise Console there is no way of excluding unknown applications. Please contact Sophos Support if you require assistance in this scenario.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.