Add "Exploit Mitigation" as an exclusion type for threat policies

Currently there are only 7/9 Exclusion Types (compared to the 9 Exclusion Types in Global Settings/ Global Exclusions) available when adding an exclusion to a threat protection policy. Why are there less options to create granular exclusions at the policy level, but more options at the global level? This seems backwards, because we would want to be more restrictive closer to the endpoint and not the other way around.  

Discussion: In an enterprise environment with many users filling a variety of job requirements, the inability to create granular Exploit Mitigation exclusions makes for a cumbersome exclusion process. Yes, this option is available in Global Exclusions, however we may only want to exclude a certain Exploit Mitigation (i.e. Lockdown exploit) from being detected in a given application (i.e. Excel, Adobe, etc.) for only a handful of tens of thousands of computers. In this case, we would want to create a specific policy for a subset of users to which we could apply this exclusion for.

Because of the unique nature of a detection ID/ thumbprint that is assigned to an exploit mitigation event, creating a custom policy and adding a "Detected Exploits" exclusion is not effective. One example is a user who had a custom script that is run on ever-changing Excel reports. The script that gets run on the report is a PowerShell script, and had a handful of commands that could be run. Different commands generated different detection IDs, thus requiring a custom threat protection policy to be created with 7 Detected Exploit exclusions.

I have submitted a feature request via the ideas portal. Please vote if you agree with the sentiments shared in this discussion post. 

https://ideas.sophos.com/forums/428821-sophos-central/suggestions/38563375-add-exploit-mitigation-as-a-policy-exclusion-typ

 

Exclusion Types available when making a **Threat Protection Policy** Exclusion in Sophos Central


 

Exclusion Types available when making a **Global** Exclusion in Sophos Central

  • Hi  

    Thank you for sharing the idea as a feature request with us.

    I'd request you, not to do any type of exploit mitigation on the computers even if it gets available in the threat protection policy until you are caught up with an unnecessary detection which is false positive and can take time to get resolved. This is the motive behind providing this exclusion because the permanent deployment of any exploit mitigation exclusion can result in unprotected environment and it raises the chances of an attack on the organization. 

  • In reply to Jasmin:

    Hi  I agree and we do not make any exclusions without first carefully making sure they are false-positives. I am asking for this feature to be added for the purpose of adding exclusions after false-positive has been confirmed by the security operations center. Also, I understand that the permanent deployment of any exploit mitigation exclusion can result in an increased attack vector, but following that same logic, why is it an option to globally make an exclusion like this, but not at the policy level? 

  • In reply to txmx:

    Hi  

    As you have opened a feature request for the policy based exploit mitigation, it will be considered to avail the exploit mitigation in the policy-based exclusions as well.

    Currently for the time being one option is available to exclude the whole group of media, office, Java applications, web browsers and their plug-ins by disabling that option in the threat protection policy under runtime protection section.