Applies to: Sophos Home Premium and Trial - (Windows)
What are malicious behavior detections, and what to do about them
Applications that present incompatibility issues with Sophos Home behavior protection modules may be added to the local exclusions/exploit dashboard exclusions to allow them to run. Additionally, installation failures for trusted software can sometimes be resolved by temporarily disabling exploit protection to allow the installation to complete, if a local exclusion is not effective.
Sophos Home allows users to enter local/dashboard exclusions at their own risk. These exclusions can used to run a program that has been stopped from running/installing due to an exploit-like behavior being detected at the time of launching the application.
These steps should be performed if the application you are trying to run is trusted and was acquired from a known/reputable source.
For other kinds of exclusions (such as antivirus, machine learning, and privacy), please see the related articles section.
Adding a local exclusion on a specific computer
These steps cover how to whitelist an application, on a single machine, that may have been stopped by Sophos Home due to suspicious behavior.
Sophos does not recommend adding exclusions unless you're sure that the application is safe.
Instructions
1 -Double-click on the Sophos Home icon on the system tray. This opens the Sophos Home main window.
2 -Click Help --> Troubleshooting
3 -Go to Local Exclusions section then click on the Add button.
4 -Locate the program's executable file (.exe) you wish to exclude and add it.
The application will then appear on the list.
Note: If the exclusion is outside the C: drive, it will still apply but will not show up on the list.
Adding Exclusions for Non-system drives - known issue
Please note that when adding a local exclusion for and application or game on a non-systen drive (typically D:\, E:\, etc.) this exclusion will not show up in the local exclusion dialog box but WILL be applied.
Adding a Global Exclusion via the Sophos Home Dashboard
Some programs may trigger suspicious behavior alerts (such as exploits, Anti-VM, etc..) during installation and get stopped by Sophos Home. If you are sure that the application is legitimate (for example you have downloaded it via the vendor's website, or you are installing from an official vendor's disk, etc), you may whitelist it on your Dashboard to allow the installation to complete:
Note: These steps will lower your computers' security. Please proceed at your own discretion.
Instructions:
1. Access your Sophos Home Dashboard and click on the desired computer
2 - Select the affected computer
3 - Locate the detection under New Activity, or navigate to the HISTORY Tab to find all the events as needed.
4 - If there are too many events, users may want to sort by Threats
5 - Locate the exploit detection (they are sorted by date/time)
6 - Click on Show Advanced Options
7 - Click on Allow and Unblock via Did we get this wrong? to whitelist the application
8 - Choose Allow Behavior (preferred option), or if desired Allow application (this will whitelist any mitigation coming from this application from now on).
9 - Allow a few minutes for the changes to replicate and re-try installing/relaunching the app (if needed, restart your computer).
Excluding an app from the Protected Applications list on the Dashboard
Sophos Home provides a list of Protected Applications in the dashboard. Users may choose to remove an application from the protected list, in order to allow it to run.
Note: Sophos does not recommend turning off protections for applications. These steps shall be performed at the customer's discretion.
Instructions:
1. Access your Sophos Home Dashboard and click on the desired computer
2. Click on the PROTECTION tab ---> Exploits
3. Locate the Protected applications section and click Show Applications to expand it
4. Un-check the desired application (red button)
5. Reboot the computer and re-try launching the program
Temporarily disabling Exploit Mitigation Protection
If none of the above exclusion options work, you may try temporarily disabling Exploit Mitigation in order to allow an application to install/run.
Note: Temporarily disabling exploit mitigation leaves your computer vulnerable during this short time. Please perform these steps at your own discretion.
Instructions:
1. Access your Sophos Home Dashboard and click on the computer name for which you wish to disable exploit mitigation protection.
2. Click on the PROTECTION tab ---> Exploits
3. Toggle off Exploit Mitigation
4. Reboot the computer
5. Attempt to run/ re-install the software
6. Ensure you re-enable Exploit Mitigation upon successful installation