Applies to: Sophos Home for Windows and macOS
Important: Exceptions and exclusions are added at your own discretion. We recommend submitting a sample to Sophos Labs if you are unsure whether a file safe to exclude or not : Sophos- Submit a Sample
Files, folders, websites or applications added to exceptions will not be checked for threats by the antivirus scanner. This means that you would allow things that Sophos Home would otherwise block.
Note: On macOS exceptions only apply to on-access scans and not to full scans or on-demand scans.
Understanding the context of a detection
It is important to treat every detection as malicious and not authorize anything in your environment unless you are confident it is safe to do so.
For Potentially Unwanted Application (PUA) detections these are not malicious but might not be what you want running on a corporate network. PUA detections may have names such as:
- Generic ML PUA
- Generic Reputation PUA
- Generic PUA*
For malicious detections that you may wish to investigate further, some example detection names are:
- ML/PE-A
- Mal/Generic-*
- C2/Generic-*
- CXmail/*
Further understanding detections
The table below displays a list of malicious and clean indicators. It is important to use these purely as an indicator and not confirmation of a file being malicious or clean. Even if a file exhibits all of the clean indicators it could still be malicious and likewise a clean file may show many suspicious indicators.
Malicious indicator | Clean indicator |
---|---|
Detection of an unknown file, possibly with a random name, for example:
|
Detection of known files that belong to a legitimate application*. |
An executable file in a temp/user data location eg:
|
Executable files that have a name relevant to the location or application they have been detected in. For example:
|
Detection of a file that was created at the time of the detection or shortly before. | Detection of a file which has been on the device for a longer period of time i.e. weeks/months |
Other recent detections on the same device. | During the installation of new software to your environment (including new antivirus software). |
If the file is detected by other antivirus vendors (instructions on how to check this below). | If no other antivirus vendors are detecting it (instructions on how to check this below). |
Note: legitimate applications are routinely abused by malicious attackers who for example use exploits or inject code into these applications in order to make them take malicious actions.
How to check if other antivirus vendors detect a file
Sometimes it may help you to get an idea if a file is malicious or not by comparing the Sophos detection to that of other antivirus vendors.
Websites like VirusTotal.com provide a very useful resource for helping you test this.
VirusTotal is a service that is free to use (owned by Google).
VirusTotal inspects items with over 70 antivirus scanners and URL/domain blacklisting services, in addition to a myriad of tools to extract signals from the studied content. Any user can select a file from their computer using their browser and send it to VirusTotal.
While VirusTotal is a very powerful and easy-to-use resource, and it is only an indicator of what other antivirus vendors think about a file or URL and it shouldn't be used as confirmation that a file is malicious or clean. Even if every other vendor is also detecting the same file, it could be that they are wrong. Likewise, if nobody is detecting it, that might be because this is a new zero-day attack that nobody has detection for and not that it is a clean file.
Using and understanding Virus Total results
The easiest method of using VirusTotal for file analysis is to upload the file directly on VirusTotal.com (drag and drop also works)
After submitting a file Virus Total you will most likely be presented with one of four scenarios
A large number (30+) of antivirus vendors detect the file
This is a very strong indicator that the file is malicious and should be removed from your environment. A false-positive is possible but unlikely and it wouldn't be advisable to authorize this file without further confirming with Sophos Labs via Submit a sample page
A small number (5-) of antivirus vendors detect the file
In this situation, it is difficult to make a decision as the antivirus vendors detecting the file might have just released protection and the rest are going to follow shortly, or often it can mean that the majority of vendors have looked at the file and decided they don't want to detect it. It may also mean that the file is clean and a few vendors have incorrectly detected it as malicious.
In this scenario, it is best to look out for the vendor names you recognize and believe to be reputable, for example, detections from companies that have their own research labs are a better indicator, e.g. Sophos, Kaspersky, Microsoft, Symantec, etc. - If you are still unsure, Submit a sample to Sophos Labs for further investigation/advise
No anti-virus vendors are detecting the file
This is a strong indicator that the file is clean (not malicious) if you have no reason to think this file is suspicious, it is most likely safe to keep it in your environment. However, if you believe this file is suspicious Submit a sample to Sophos Labs for further investigation/advise
What if Virus Total does not have the file you are searching for
This is a potential indicator the file is malicious as many families of malware regularly change and update to avoid detection, or they may also be unique to every victim. However, this could also mean you have uploaded a clean but unique file, for example, an application you have developed , or a word document that you have written and uploaded. It helps to understand the context of the file.
Use the submit a sample page to request an evaluation of the file by Sophos Labs
Additional threat resources
Scroll to the bottom section to find threat categories to choose from, or feel free to search for any specific threat.
Excluding files and folders from the antivirus protection
Exceptions in a folder will include all its subfolders. To exclude files and folders from scanning:
- Sign in to Sophos Home dashboard
- Select the computer where you need to make the exclusion.
- Click on the PROTECTION --> General --> Exceptions to enter your exclusions
- Enter the file or folder name in the field then press enter.
File and folder exceptions on Windows - Examples
Type | Entry | Expected behavior |
---|---|---|
Folder | C:\DataFolderSample\ | Don't scan the folder "C:\DataFolderSample" (folder names must end in "\") |
File or program | Programfile.exe | Don't scan the file "Programfile.exe" |
File or program in a specific folder | C:\Program Folder\Programfile.exe | Don't scan the file "Programfile.exe" in the folder "C:\Program Folder" |
File type | *.vmg | Don't scan any files with extension ".vmg" |
Drive | D:\ | Don't scan any files on drive D:\ |
File and folder exceptions on Mac - Examples
Type | Entry | Expected behavior |
---|---|---|
Time Machine | /Volumes/.timemachine/ | Do not scan the default Time Machine location (folder must end in "/" ) |
Folder | /TempFiles/ | Do not scan the folder "/TempFiles/" (folder names must end in "/") |
File or program | Application.app | Do not scan the file "Application.app" |
File or program in a specific folder | /Applications/Application.app | Do not scan the file "Application.app" in the folder "/Applications/" |
File type | *.mov | Don't scan any files with extension ".mov" |
Volume | /Volumes/TempDrive/ | Do not scan any files on the volume "TempDrive" |
External volume | /Volumes/Name Of Your External Drive/ | Do not scan any files on the volume "Name Of our External Drive" * |
*If you notice issues using external Time Machine volumes, please see: Disable Network File Scanning
Note: Exceptions on the Mac are case sensitive.
Website exclusions
Excluding Websites
Setting Website exceptions
Note: If you believe a website has been incorrectly categorized as malware, please submit a sample to Sophos Labs for review: Sophos- Submit a sample
To exclude a website from scanning and being blocked by web category access settings:
- Sign in to Sophos Home dashboard
- Select the computer where you need to make the exclusion.
- Click PROTECTION --> Web and find Website Exceptions
- Enter the website address, IP address, or the website domain in the field then press enter.
Website exclusion - Examples
Type | Entry | Expected behavior |
---|---|---|
Domain | cutecats.com | Do not scan any website ending in "cutecats.com". This is what most people will use. |
Web URL | meow.cutecats.com |
Scan content at "cutecats.com" but don't scan "meow.cutecats.com". This is a more advanced option. |
IP Address | 127.0.0.1 |
A specific IP Address can also be used. This example is the Return IP Address (setting an exception for this address can resolve network connectivity issues for applications and websites in some cases). |
Malicious traffic detection exclusions
Mac, please see: Malicious Traffic Blocked alert appears on Mac
Windows exclusions can be made by adding in the file (typically the file making the network call) or folder you wish to exclude. Exclusions can't be made based on the URL or based on drives. For example, C:\
will be recognized as a folder exclusion but C:
will fail as it's classified as a drive exclusion.
Specific feature exclusions (Exploits related, Machine Learning)
Machine Learning (Windows): Excluding a file or application from Machine Learning detection
Exploits (Windows) Exploit exclusions (Windows - Local exclusions)
PUA detected PUA detected alert shows in the Sophos Home dashboard