Sophos Exploit Prevention: How to exclude applications from Exploit Mitigation functionality

Shweta 8 months ago

Disclaimer: This information is posted as-is and the content should be referenced at your own risk

Overview

This article describes how to exclude an application from Exploit mitigations on the below platforms:

Sophos Central (managing Sophos Intercept X)
Sophos Enterprise Console (managing Sophos Exploit Prevention)

We will cover how to exclude 'known' applications (applications that the Sophos Endpoint detects as installed business applications) and 'unknown' applications (applications that are not categorised by the Sophos Endpoint as business applications but may still require exclusion).

Please note: Sophos does not suggest excluding any applications from any of our protection methods unless the application is fully trusted by the customer. Customers excluding applications do so at their own risk.

For further information on exclusions methods for Cryptoguard please see this article.

The following sections are covered:

Applies to the following Sophos products and versions
Sophos Central Admin
Enterprise Console 5.5.1
Central Endpoint Intercept X 2.0.14
Exploit Prevention
Central Server Intercept X 2.0.8

What to do

Sophos Enterprise Console

Excluding an exploit mitigation detection (Requires Enterprise Console 5.5.1 or above)

This method can be used to exclude a particular application in the Enterprise Console after a detection has been raised against it.

This method will add an exclusion for the Thumbprint associated with this particular detection. If the exact same behaviour occurs again on your estate then this will not trigger a detection.

However anything that changes the behaviour in some way (different paths involved, different files involved, different application, etc) will change the Thumbprint and will therefore require a separate exclusion.

In the Enterprise Console navigate to 'Policies' > 'Exploit Prevention'
Locate the Exploit Prevention policy relating to the affected machine(s)
Select 'Exploit Exclusions'
Highlight the detected exploit in the list that you wish to exclude and click 'Exclude'
Click 'OK' to apply your changes
This particular exploit will be excluded on machines protected by this Exploit Prevention policy

Excluding a 'known' application

This method is useful if you have an application that either reports a large number of unexpected exploit mitigation detections or suffers from performance issues when the exploit mitigation functionality is active.

This is also the only method of exclusion available to customers running Enterprise Console 5.5.0.

In the Enterprise Console navigate to 'Policies' > 'Exploit Prevention'
Locate the Exploit Prevention policy relating to the affected machine(s)
Select 'Application Exclusions'
Highlight the application you wish to exclude and click 'exclude;
Click 'OK' to save your changes
The exclusion will then be applied to all machines protected by this Exploit Prevention Policy

Excluding an 'unknown' application

Currently within the Sophos Enterprise Console there is no way of excluding unknown applications. Please contact Sophos Support if you require assistance in this scenario.

Related information

How to exclude applications from Cryptoguard

Feedback and contact

Have an idea or suggestion regarding our Documentation, Knowledgebase, or Videos? Please visit our User Assistance forum on the Community to share your idea!