I mean there 3 place where to apply exclusion for mitigation.
1 inside Base Policy Add Exclusion select Detected Exploit
2 inside Setting Exploit Mitigation Exclusion
3 inside Settings General Scanning Exclusion again Add Exclusion select detected Exploit
It seems are 3 different layers.
Which is the gerarchy ?
Who wins?
Hello FabioTerrone,
Who wins?
is probably not the correct question as the presence or absence of an exclusion is not the same as an enabled or disabled setting. Exclusions are cumulative so all win [:)].
3 is on the system level, i.e. global, and applies to all your users (and their devices) and servers. 2 is also global - the help doesn't mention servers though (as far as I understand it 3 excludes an application/threat combination, 2 excludes an application generally) but the question would be, does it apply to servers as well not who wins.
Christian
Thank you Christian the guide is very useful.
I want to copy and paste some parts as there many details that can help the definitive answers.
Regarding the 3 System Settings \ Global Scanning Exclusion:
"You can exclude files, websites and applications from scanning for threats. You can also exclude applications from detected exploits.
For example, you might exclude activity by some commonly-used applications to reduce the impact of scanning on performance.
"Exploits that Sophos can prevent include application hijacking and exploits that take advantage of vulnerabilities in browsers, browser plug-ins, Java applications, media applications and Microsoft Office applications.
You can exclude applications from protection against security exploits. For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.
The Exploit Mitigation Exclusions page displays a list of applications excluded from protection against security exploits.
"A policy is a set of options (for example, settings for malware protection) that Sophos Central applies to protected users or servers.
Users, computers and servers have separate policies.
The Base policy is the default policy. Sophos provide it and configure it with the best practise settings. The Base policy applies to all users, computers or servers initially. You can leave it unchanged or edit it to suit your needs.
If you want to apply the same policy to all users, computers or servers, you can simply use the Base policy or adapt it for your needs.
If you want to use different settings for different groups of users, computers or servers, you can create additional policies.
The order in which you arrange the policies determines which settings are applied for each security feature.
To find the policy to apply for a user, Sophos Central looks through the policies from the top down"
Please check more details here http://docs.sophos.com/sophos-cloud/customer-dashboard/help/en-us/webhelp/index.htm#concepts/AboutPolicies.htm
As there are many variables and not a a clear gerarchy not easy to find the right answer. But more clear now, reading the guide, how to try to find one.
The problem for me is how exlude a false -positive of an application that is detected as an "Exploit", nothing regardind the Server problem, but for all computers.
In other words which sections to use, to be sure that on all computers (not regardings "Server" or "user") I will have not more false positive as Exploit ?
And to understand if I find a detected exploit ( in add exclusion) in one section what means and why I find in that section or more than one section ?
For Christian, it seems that there is a base Policy for User and Computer and another one for the Server but if you use Global Scanning Exclusion that exclusion will work for user, computers and Server.
Hello Fabio Terrone,
you'd exclude a false positive "exploit" in the Global Scanning Exclusions. As you have noted, they apply to users and servers alike.
I'm not familiar with the interface but I assume there's only one detected exploits list and it's available wherever you can define an exploit exclusion.
Are the underlined sentences those parts for which you need clarification? If so, could you perhaps rephrase them as questions?
Christian
I'll try and answer this. I'm going to change your order here as well:
In order of applicable settings:
1) Exploit Mitigation Exclusion - This excludes the application from any detections from Intercept X. It stops Intercept X loading on the process much earlier than other methods.
2) Both the Policy detected exploit and global general scanning exclusion apply at the same time, as the two are merged when sent out to endpoints for policy. The key difference is that for these exclusions, they are specific to the application, trigger, and type of detection. This means that if you are getting a detection for say LoadLib on Internet Explorer, and exclude it via this method, then later have a Lockdown detection, it will still trigger the Lockdown detection.
So it is recommended to use a detected exploit exclusion, as this is much more specific, and is the narrowest opening possible to add an exclusion. Additionally, not all software will be available for selection in Exploit Mitigation Exclusions, as only certain software configurations are detected for this list.
