How to avoid risky download warnings on intranet in Sophos Central Endpoint Protection

Can't add a reply to an old question, so hopefully this helps....

I was happy with a warning when trying to download an EXE or JAR file etc from the internet, to help protect users, but was not wanting this when trying to download our own JAR files from internal intranet (like from our own nexus repository).

The fix, coming off of what someone said on

was to go into Sophos Central Admin -> Endpoint Protection -> Policies, and under Threat Protection, I'd created my own policy, and inside that Settings->Exclusions you can add an exclusion for your IP subnet, such as or

You can also do in the Global Exclusions, but having it in your own policy probably is better.

removed EXE from subject
[edited by: Agilitas Ltd at 4:15 PM (GMT -8) on 2 Dec 2020]
  • Hi

    Thank you for updating the thread however it is not recommended to create any exclusions unless you are sure about the file you are downloading.


    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.


  • Thanks for that. Understood.

    We're developing software, and the release JAR packages go into our local Nexus repository server (on our own internal intranet) so the annoying thing is when then obtaining our own JAR file when clicking on the link to grab it (before deployment to a server etc) is it warns us about our own JAR file.  Ditto for our VStudio/EXE software.

    This is also why I needed to find an alternative to just changing the Web Control -> Java Archive (jar) to "Allow".  This would not then warn for anything downloaded from the internet which obviously is a LOT more risky!

    Not sure how else we can WARN/BLOCK for internet stuff, but yet ALLOW for internal intranet files.

    So it's like if you download from it would hopefully warn, but for our-server.ournetwork.local/.../cool-application.jar then it would allow without warning.

    There didn't seem to be a way to whitelist our own internal network other than doing this, and hoped this would help others.

    I'm happy to be pointed at a better solution!