Exploit mitigation or ransomware wildcards and variables and using the "$" variable

Anybody else tried using the "$" variable to exclude a filename and not work??

Looking at the article: Exploit mitigation or ransomware wildcards and variables - Sophos Central Admin

Is says this:

VariableExample$

All available drives.

For example, $\app.exe excludes app.exe on drive C:, drive D:, etc.

But when entering: "$\filename.exe" for the exclusion, the file name is still being caught. The only way I have been able to exclude the file is to enter the full path.

Open case #: 07009147

Added Tags
[edited by: Gladys at 7:01 AM (GMT -7) on 2 Oct 2023]

Top Replies

Qoosh 10 months ago +1

Hi Slappy , Thanks for reaching out to the Sophos Community Forum. I was able to look into the support case you mentioned and the exclusion does appear to be populated correctly. Do you know if the…

Parents

+1 Slappy 10 months ago

Finally was able to get the exclusion syntax that was needed. In global exclusion added Exclusion Type being: Exploit Mitigation (Windows) and then entered the correct syntax is: " **\<filename> This seems to have excluded the file no matter where the EXE file was located on the C: drive.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Qoosh 10 months ago in reply to Slappy

Thanks for following up to share the solution you found.

Regarding your comment below, is the "app.exe" something that can be run stand-alone for testing purposes, or will this only work within your environment?

It may be worthwhile to inquire further with support to find out why the $ variable is not working correctly.

Edit/Update: Documentation has been updated to more accurately represent what the $ variable will do.

For example, $\app.exe excludes C:\app.exe, D:\app.exe, and so on.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Qoosh 10 months ago in reply to Slappy

Thanks for following up to share the solution you found.

Regarding your comment below, is the "app.exe" something that can be run stand-alone for testing purposes, or will this only work within your environment?

It may be worthwhile to inquire further with support to find out why the $ variable is not working correctly.

Edit/Update: Documentation has been updated to more accurately represent what the $ variable will do.

For example, $\app.exe excludes C:\app.exe, D:\app.exe, and so on.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data