Applies to: Sophos Home Premium and Trial - (Windows)
What are malicious behavior detections, and what to do about them
Sophos Home uses behavior protection to keep Windows systems safe from exploits and harmful actions. Sometimes, it may block an application because it detects suspicious behavior, even if the app is safe. When this happens, you might see messages like “Attack intercepted”, “Malicious behavior detected”, "Lockdown", "APC violation", or similar alerts. Additionally, you may notice Event Viewer entries with a 911 ID.
What to do if you receive a behavior alert
If you trust the application and it comes from a reputable source, you can try these steps:
- Add a Local exclusion for the program or file
- Go to Sophos Home and add the application to local exclusions or an Exploit Protection dashboard exclusion. This lets the app run despite the detection.
- Temporarily disable Exploit Protection
- If exclusions don’t work, you can turn off Exploit Protection briefly to complete the installation or update of a program. Important: Turn it back on as soon as the actions are completed to ensure systems are protected.
Exclusions are managed at your own risk. If you are not sure if an application is safe, contact its vendor to validate it before excluding it.
DISCLAIMER: The information in these articles is provided for general educational purposes only and is based on information available to Sophos at the time of publication. The materials may contain technical inaccuracies or typographical errors and may be updated, revised, or changed at any time without notice.
To the maximum extent permitted by applicable law, Sophos disclaims and excludes all representations, warranties, and conditions, whether express, implied, or statutory, including without limitation any warranties or conditions of title, non-infringement, satisfactory condition or quality, merchantability, and fitness for a particular purpose, with respect to the content.
Adding a local exclusion on a specific computer
These steps cover how to whitelist an application, on a single machine, that may have been stopped by Sophos Home due to suspicious behavior.
Sophos does not recommend adding exclusions unless you're sure that the application is safe.
Instructions
1 -Double-click on the Sophos Home icon on the system tray. This opens the Sophos Home main window.
2 -Click Help --> Troubleshooting
3 -Go to Local Exclusions section then click on the Add button.
4 -Locate the program's executable file (.exe) you wish to exclude and add it.
The application will then appear on the list.
Note: If the exclusion is outside the C: drive, it will still apply but will not show up on the list.
Adding Exclusions for Non-system drives - known issue
Please note that when adding a local exclusion for and application or game on a non-systen drive (typically D:\, E:\, etc.) this exclusion will not show up in the local exclusion dialog box but WILL be applied.
Adding a Global Exclusion via the Sophos Home Dashboard
Some programs may trigger suspicious behavior alerts (such as exploits, Anti-VM, etc..) during installation and get stopped by Sophos Home. If you are sure that the application is legitimate (for example you have downloaded it via the vendor's website, or you are installing from an official vendor's disk, etc), you may whitelist it on your Dashboard to allow the installation to complete:
Note: These steps will lower your computers' security. Please proceed at your own discretion.
Instructions:
1. Access your Sophos Home Dashboard and click on the desired computer
2 - Select the affected computer
3 - Locate the detection under New Activity, or navigate to the HISTORY Tab to find all the events as needed.
4 - If there are too many events, users may want to sort by Threats
5 - Locate the exploit detection (they are sorted by date/time)
6 - Click on Show Advanced Options
7 - Click on Allow and Unblock via Did we get this wrong? to whitelist the application
8 - Choose Allow Behavior (preferred option), or if desired Allow application (this will whitelist any mitigation coming from this application from now on).
9 - Allow a few minutes for the changes to replicate and re-try installing/relaunching the app (if needed, restart your computer).
Excluding an app from the Dashboard's Protected Applications list
Sophos Home provides a list of Protected Applications in the dashboard. Users may choose to remove an application from the protected list, in order to allow it to run.
Note: Sophos does not recommend turning off protections for applications. These steps shall be performed at the customer's discretion.
Instructions:
1. Access your Sophos Home Dashboard and click on the desired computer
2. Click on the PROTECTION tab ---> Exploits
3. Locate the Protected applications section and click Show Applications to expand it
4. Un-check the desired application (red button)
5. Reboot the computer and re-try launching the program
Temporarily disabling Exploit Mitigation Protection
If none of the above exclusion options work, you may try temporarily disabling Exploit Mitigation in order to allow an application to install/run.
Note: Temporarily disabling exploit mitigation leaves your computer vulnerable during this short time. Please perform these steps at your own discretion.
Instructions:
1. Access your Sophos Home Dashboard and click on the computer name for which you wish to disable exploit mitigation protection.
2. Click on the PROTECTION tab ---> Exploits
3. Toggle off Exploit Mitigation
4. Reboot the computer
5. Attempt to run/ re-install the software
6. Ensure you re-enable Exploit Mitigation upon successful installation