Central Endpoint & Intercept X: How to create an exclusion for a detected exploit

Disclaimer: This information is provided as-is and should be referenced at your own risk.


When Sophos detects an exploit, this is due to a behavior within an application that is resembling an exploit technique.  This is a very important part of your cyber security posture and it is a major differentiator within Sophos Intercept X. These exploit techniques are documented here:

Occasionally it is necessary to make an exclusion for a detected exploit.  Sometimes older applications, homegrown programs, and some plugins to browsers can cause a detection when it is not actually a threat.

Note: Prior to making an exception, it is important to make sure that it is not malicious activity.
 

There are generally two ways to create these exclusions:

  1. via policy
  2. or globally.

From a security perspective, it is always better to make any exclusion based on a policy and only limit these to machines or users whose productivity is hampered by this detection.  However, if it is a widely used application, you also have the option to make an exclusion globally. Again I urge caution, only exclude detections that you have vetted and know for certain that it is not an actual threat.

 

To make an exclusion via Policy,

  1. Navigate to your Threat Protection Policies and edit the policy that is applicable.
  2. At the bottom of the specific policy you are modifying, you will see the exclusion section. This will also display any global exclusions.  Click on Add Exclusion
  3. Under Exclusion Type dropdown, select Detected Exploits
  4. Select the detected exploit (or multiple) that you wish to make the exclusions on. Note that these exclusions are specific to the exploit detected and the process that caused it.
  5. Click Add, and they will be added to your exclusion list within the policy.  Don’t forget to scroll to the top of the policy, and hit save.  Proceed to test a client (by updating the client, and running the application causing the detected exploit) You are done!

 

To make an exclusion globally there are a few ways, this is documented in the below KB