Exploit mitigation or ransomware wildcards and variables and using the "$" variable

Anybody else tried using the "$" variable to exclude a filename and not work??

Looking at the article: Exploit mitigation or ransomware wildcards and variables - Sophos Central Admin

Is says this:

VariableExample$

All available drives.

For example, $\app.exe excludes app.exe on drive C:, drive D:, etc.

But when entering: "$\filename.exe" for the exclusion, the file name is still being caught. The only way I have been able to exclude the file is to enter the full path.

Open case #: 07009147

Added Tags
[edited by: Gladys at 7:01 AM (GMT -7) on 2 Oct 2023]

Top Replies

Qoosh over 1 year ago +1

Hi Slappy , Thanks for reaching out to the Sophos Community Forum. I was able to look into the support case you mentioned and the exclusion does appear to be populated correctly. Do you know if the…

Parents

+1 Slappy over 1 year ago

Finally was able to get the exclusion syntax that was needed. In global exclusion added Exclusion Type being: Exploit Mitigation (Windows) and then entered the correct syntax is: " **\<filename> This seems to have excluded the file no matter where the EXE file was located on the C: drive.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel
0 Qoosh over 1 year ago in reply to Slappy

Thanks for following up to share the solution you found.

Regarding your comment below, is the "app.exe" something that can be run stand-alone for testing purposes, or will this only work within your environment?

It may be worthwhile to inquire further with support to find out why the $ variable is not working correctly.

Edit/Update: Documentation has been updated to more accurately represent what the $ variable will do.

For example, $\app.exe excludes C:\app.exe, D:\app.exe, and so on.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Qoosh over 1 year ago in reply to Slappy

Thanks for following up to share the solution you found.

Regarding your comment below, is the "app.exe" something that can be run stand-alone for testing purposes, or will this only work within your environment?

It may be worthwhile to inquire further with support to find out why the $ variable is not working correctly.

Edit/Update: Documentation has been updated to more accurately represent what the $ variable will do.

For example, $\app.exe excludes C:\app.exe, D:\app.exe, and so on.

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

No Data