Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 14 subscribers
  • Views 9295 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Intercept X Blocking Legitimate Files

skyisbluescreen

Dear All,

Sophos InterceptX has been blocking Legitimate Files (Macro-Enabled Excel, .exe Files Etc) as RUNTIME\EXPOLIT PREV Events. What are the options i have to avoid this?

1.Exclude Intercept X for Specific Devices (Huge RISK)

2.Exclude Excel from INTERCEPT X(We have Global Polices and we do not want Sub Group Policies created for Exceptions)So We are left with option Exclude Excel on All 10K Devices

3.In Global - Scanning Exclusions - Exclude the EVENT GENERATED for Exploit, However Every Detection gets recorded differently and blocks the file with new time stamps

P.S  - Sophos Support states the way Excel Macros are created(in our CASE)  are same as Malware Behavior so No luck in having it white listed from the Signature definitions updates.  

 

Anyone else faced the same and had better luck in resolving this?



This thread was automatically locked due to age.

  • Hi skyisbluescreen,

    Sorry for the late reply, we would need to understand exactly what it is in those files that is causing the detections, by looking at samples and logs from the machine. 

    You mention runtime and exploit detections on them, we would need to know specifically what detections you have seen. Most likely Application Lockdown and maybe some CXmail, or DocDl, DocDrp detections from your description.

    Have you previously raised a case with Support on this issue, can you provide the case number?

    If not I would recommend raising a Support ticket for this so we can investigate: https://secure2.sophos.com/en-us/support/open-a-support-case.aspx 

  • I don't see any issues with macro enabled excel files / excel files executing macros so I also think the blocking is caused by the macro itself.

    Regards, Jelle

    Sophos XG210-HA (SFOS 18.0.4) on SG210 appliances with Sandstorm and 1x AP55
    Sophos Central with Intercept X Advanced, Device Encryption, Phish Threat, Mobile Control Advanced

    If a post solves your question use the 'This helped me' link.

  • in reply to PeterM

    Thanks Peter for your response.

    I had a case opened in the past regarding this and please see the response after the Macro File analysis . 

    +

    The Detection ID \ Thumb Print Exclusion seems not to help as i believe as seen below it keeps changing .

Unfiltered HTML