Skip to content

Stop detecting an application

If PE (Portable Executable) files, like applications, libraries and system files, are detected, they are quarantined and can be restored.

To allow an application that Sophos has detected and removed, do as follows.

  • This allows the application for all computers and users.
  • This allows the application to start, but we’ll still check it for threats, exploits and malicious behavior when it's running.

  • Go to Devices > Computers or Servers, depending on where the application was detected.

  • Find the computer where the detection happened and click on it to view its details.
  • On the Events tab, find the detection event and click Details.
  • In the Event details dialog, look under Allow this application.
  • Select the method of allowing the application:

    • Certificate: This is recommended. It also allows other applications with the same certificate.
    • SHA-256: This allows this version of the application. However, if the application is updated, it could be detected again.
    • Path: This allows the application as long as it's installed in the path (location) shown. You can edit the path (now or later) and you can use variables if the application is installed in different locations on different computers.


    You can't use Path to restore files with non-UTF-8 paths detected on a Linux device. You must use SHA-256 to restore these files.

  • Click Allow.