Applies to: Sophos Home Premium and Trial - (Windows)
What are malicious behavior detections, and what to do about them
Sophos Home's behavior protection module keeps Windows systems safe safe from exploits and other malicious behaviors. However, it may sometimes detect potentially malicious behavior in applications, causing them to be blocked from running. These detections often display banners like "Attack intercepted" and include comments like "Exploit", "Malicious behavior detected", "Lockdown", "APC violation", etc...
If you encounter this with a trusted application from a reputable source, you can try the following steps, at your own discretion:
- Add the application to the local exclusions or exploit dashboard exclusions in Sophos Home. This will allow the application to run despite the detected behavior.
- If adding the application to exclusions doesn't work, you can temporarily disable the exploit protection feature to allow the installation to complete. Remember to re-enable exploit protection afterwards.
Sophos Home allows users to manage these exclusions at their own risk. Only add exclusions for applications you fully trust, as this could potentially expose your system to security risks. If you are not sure if an application is safe, contact their vendor to validate you have downloaded the correct file.
For other kinds of exclusions (such as antivirus, machine learning, and privacy), please see the related articles section.
Adding a local exclusion on a specific computer
These steps cover how to whitelist an application, on a single machine, that may have been stopped by Sophos Home due to suspicious behavior.
Sophos does not recommend adding exclusions unless you're sure that the application is safe.
Instructions
1 -Double-click on the Sophos Home icon on the system tray. This opens the Sophos Home main window.
2 -Click Help --> Troubleshooting
3 -Go to Local Exclusions section then click on the Add button.
4 -Locate the program's executable file (.exe) you wish to exclude and add it.
The application will then appear on the list.
Note: If the exclusion is outside the C: drive, it will still apply but will not show up on the list.
Adding Exclusions for Non-system drives - known issue
Please note that when adding a local exclusion for and application or game on a non-systen drive (typically D:\, E:\, etc.) this exclusion will not show up in the local exclusion dialog box but WILL be applied.
Adding a Global Exclusion via the Sophos Home Dashboard
Some programs may trigger suspicious behavior alerts (such as exploits, Anti-VM, etc..) during installation and get stopped by Sophos Home. If you are sure that the application is legitimate (for example you have downloaded it via the vendor's website, or you are installing from an official vendor's disk, etc), you may whitelist it on your Dashboard to allow the installation to complete:
Note: These steps will lower your computers' security. Please proceed at your own discretion.
Instructions:
1. Access your Sophos Home Dashboard and click on the desired computer
2 - Select the affected computer
3 - Locate the detection under New Activity, or navigate to the HISTORY Tab to find all the events as needed.
4 - If there are too many events, users may want to sort by Threats
5 - Locate the exploit detection (they are sorted by date/time)
6 - Click on Show Advanced Options
7 - Click on Allow and Unblock via Did we get this wrong? to whitelist the application
8 - Choose Allow Behavior (preferred option), or if desired Allow application (this will whitelist any mitigation coming from this application from now on).
9 - Allow a few minutes for the changes to replicate and re-try installing/relaunching the app (if needed, restart your computer).
Excluding an app from the Protected Applications list on the Dashboard
Sophos Home provides a list of Protected Applications in the dashboard. Users may choose to remove an application from the protected list, in order to allow it to run.
Note: Sophos does not recommend turning off protections for applications. These steps shall be performed at the customer's discretion.
Instructions:
1. Access your Sophos Home Dashboard and click on the desired computer
2. Click on the PROTECTION tab ---> Exploits
3. Locate the Protected applications section and click Show Applications to expand it
4. Un-check the desired application (red button)
5. Reboot the computer and re-try launching the program
Temporarily disabling Exploit Mitigation Protection
If none of the above exclusion options work, you may try temporarily disabling Exploit Mitigation in order to allow an application to install/run.
Note: Temporarily disabling exploit mitigation leaves your computer vulnerable during this short time. Please perform these steps at your own discretion.
Instructions:
1. Access your Sophos Home Dashboard and click on the computer name for which you wish to disable exploit mitigation protection.
2. Click on the PROTECTION tab ---> Exploits
3. Toggle off Exploit Mitigation
4. Reboot the computer
5. Attempt to run/ re-install the software
6. Ensure you re-enable Exploit Mitigation upon successful installation