Sophos Intercept X and Sophos Exploit Prevention protect your machines against malicious software or active adversaries using known exploit techniques to compromise or damage your systems and data.
Sometimes these detections can be unexpected or raised against software that you may believe to be safe or legitimate. At these times it is worth investigating the trigger for the detection and also whether there is a legitimate reason that the detection was raised.
In some of these cases it may be identified that the detection is a false positive against (for example):
This article aims to explain the cases where we would expect a detection to be raised against "trusted" software that is performing a true exploit technique and also to outline the information that Sophos Support will require to investigate your issue further.
The following sections are covered:
Applies to the following Sophos products and versions Central Windows Endpoint Intercept X 2.0.16Exploit Prevention
There are known cases where we see detections raised against trusted software when it performs actions that are similar or the same as exploit techniques undertaken by malicious software. In these scenarios are software is working as intended and blocking a "true" exploit technique.
If you have been using an application for an amount of time alongside Sophos and have only recently seen a detection occur then the below article may provide some explanation and guidance on this:
The below articles cover the most common of these:
If you trust the application that is undertaking these actions you can exclude the application by following the below articles:
However if you have any concerns about whether the application is:
Then please capture the below information and raise a case with Sophos Support:
If your request is related to a Cryptoguard detection, Support also require the following:
If the occasion arises where you believe an exploit detection is a false positive you can raise this request with Sophos Support. The information that Sophos Support need to be able to process your request is:
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.