Allowed Application exclusion by certificate

Hi all,

we want to allow an application by the vendor certificate cause this appilcation uses some powershell stuff.

Now we have the problem that we can only do this, when the application is getting detected as an PUA.

But this is not the case for us.

The Application we want to allow is launching a powershell which executes encoded commands.

So I get only this event details that a powershell got executed.

I think excluding this via the Detection ID will not resolv our problem cause we do not want to generally allow powershell to execute this type of executions.

Just when it comes from the specific application.

For me it seems a bit careless to allow the applicaton by path cause when I replace it with an another executable with the same name it will work as well. 

And it might be the case that the powershell is getting blocked as well cause I see no association with the parent exe file in sophos central.

What will be the correct way to allow our application?

My personal wish would be by certificate which includes all sub processes which is not configurable under "Allow Applications".

Thanks all for your help!



Added TAGs
[edited by: Qoosh at 9:18 PM (GMT -7) on 26 Oct 2022]
Parents
  • Hi Lukas,

    Thanks for reaching out to the Sophos Community Forum. 

    In this case, the "Detection type: Behavioral" indicates that this detection occurred due to the specific operations observed when PowerShell ran. In this situation, the guidance under the "Stop detecting an exploit" section will apply.

    If you choose "Exclude this Detection ID from checking," this will mean that only the specific operations observed when the detection occurred will be allowed. If the files or folders that are being interacted with change each time, this may result in a new "Thumbprint/Detection ID" being generated.

    I suggest giving the exclusion a try, then re-running the same operation to see if a new detection is raised. If this continues to cause issues for you, I suggest opening a support case with our team so we can take a closer look. 

    If you can share the information shown in Event ID 911 from the Windows Event Viewer logs when this detection occurred, I may be able to advise further.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Lukas,

    Thanks for reaching out to the Sophos Community Forum. 

    In this case, the "Detection type: Behavioral" indicates that this detection occurred due to the specific operations observed when PowerShell ran. In this situation, the guidance under the "Stop detecting an exploit" section will apply.

    If you choose "Exclude this Detection ID from checking," this will mean that only the specific operations observed when the detection occurred will be allowed. If the files or folders that are being interacted with change each time, this may result in a new "Thumbprint/Detection ID" being generated.

    I suggest giving the exclusion a try, then re-running the same operation to see if a new detection is raised. If this continues to cause issues for you, I suggest opening a support case with our team so we can take a closer look. 

    If you can share the information shown in Event ID 911 from the Windows Event Viewer logs when this detection occurred, I may be able to advise further.

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children