v21 Third Party Feeds

After testing TF a while I think this is a good feature, focusing on the needs of the user.

Right now we're having some trouble with DNS requests made by browsers to random IPs from AWS, Google, Cloudflare on a threat list.This is more False positive but impossible to exclude because of ever changing IPs.

This will not be an issue for regular web surfing clients.

But most of the computers here have Intercept-X heartbeat and as soon as they hit such a Threat Feed, it is synced to Central which then flags the Computer with red health, requiring an admin to "fix" this in Central.

As this were all false positives (much more than on the screenshot below) , we needed to change the Feed from block to monitor only.

So my questions here are:

are there plans from Sophos to enable exclusions for a detection like "DNS"? Currently you can only exclude IPs.

are there plans to be able to make exclusions based on feed? Right now an exclusion is for all feeds, including the Sophos managed feeds.
That way we could block all IPs from the Feed list inbound facing only the firewall WAN for bruteforce (User, SSL, VPN Portal etc) while allowing outbound user traffic.

We have some plans to improve this, i would still recommend customers to be careful with those lists. The lists and databases are most of the time full of false positives or not very well maintained entries leading to F-P disasters. 

I've turned it off for the moment, but as you say you have to be careful re the lists.

I've turned it off for the moment, but as you say you have to be careful re the lists.