Unplanned Outage: Due to a technical glitch, customers might see higher wait times on Sophos Call Lines. We request for your kind cooperation. Please prefer logging a case via Sophos Support Portal, unless the situation is critical for you.

[Latest KB's] How to investigate Exploit Detections

Hi Community,

Sophos Intercept X and Sophos Exploit Prevention protect your machines against malicious software or active adversaries using known exploit techniques to compromise or damage your systems and data.

Sometimes these detections can be unexpected or raised against software that you may believe to be safe or legitimate.  At these times it is worth investigating the trigger for the detection and also whether there is a legitimate reason that the detection was raised.

In some of these cases it may be identified that the detection is a false positive against (for example):

  • Software performing is known to exploit techniques as part of its day-to-day functionality where the detection is expected behaviour and is our software working as intended
  • Software performing legitimate actions where unfortunately the detection is a true false positive where our detection of the exploit is not correct

The below article aims to explain the cases where we would expect detection to be raised against "trusted" software that is performing a true exploit technique and also to outline the information that Sophos Support will require to investigate your issue further.

Please refer to the below article for more information: