Global Exclusions

You can exclude files, processes, applications, websites, and other items from being checked by our security software.

You can set global exclusions or policy-based exclusions.

Global exclusions apply to all your users, computers, and servers. If you want exclusions to apply only to specific users, computers, or servers, use policy exclusions instead.

This page tells you about the global exclusions that are available.

Set up exclusions

To set up global exclusions, do as follows:

1. Click the General Settings icon .
2. Under General, click Global Exclusions.
3. Click Add Exclusion. The Add Exclusion dialog is displayed.
4. In Exclusion Type, select what you want to exclude.

5. Specify the item or items you want to exclude.

   For details of the different exclusion types and how to set them, see Exclusion types.

6. For file or folder exclusions, in the Active for drop-down list, specify whether the exclusion should be valid for real-time scanning, for scheduled scanning, or for both.

7. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, update the settings and click Update.

Exclusion types

You can set up the following types of exclusion.

File or folder (Windows)

You can exclude a file, folder, or drive from being checked for threats.

You specify the item by its full path. You can use the wildcard * for file name or extension, but *.* isn't valid.

If you exclude files from being checked, we'll still check the excluded items for exploits. To stop checking for exploits as well, use an Exploit Mitigation And Activity Monitoring (Windows) exclusion or a Detected Exploits (Windows/Mac) exclusion.

For more information on Windows exclusions, including wildcard details, see Windows scanning exclusions.

File or folder (Mac/Linux)

You can exclude a file or folder from scanning for threats.

You specify the item by its full path. You can use the wildcards ? and *.

For more information on Mac exclusions, including wildcard details, see macOS scanning exclusions.

For more information on Linux exclusions, including wildcard details, see Linux scanning exclusions.

Process (Windows)

You can exclude any process that runs from an application you specify. Specify the full path of the application, not just the name shown in Task Manager.

The exclusion also applies to files that the process accesses. The exclusion doesn't apply to applications that the process uses.

For more information, see Process exclusions (Windows).

Website (Windows/Mac)

If you exclude a website, we don't check the category of the website, and it's excluded from our web control protection.

You can specify websites for exclusion using an IP address, a CIDR IP address range, or a domain.

Potentially Unwanted Application (Windows/Mac/Linux)

Potentially Unwanted Applications (PUA) are programs that aren't malicious by design but are potentially unsuitable for business environments. For example, they may introduce privacy, security, or user experience risks within an organization's environment. Customers can allow PUAs in their environment based on their business needs. Specify the exclusion using the same name under which the system detected the application, for example "PsExec" or "Cain n Abel".

Detected Exploits (Windows/Mac)

You can exclude any exploit that has already been detected. We'll no longer detect it for the affected application and no longer block the application.

You can also exclude detected exploits using a detection ID. You can use this option if you're working with Sophos Support to resolve a false positive detection. Sophos Support can give you a detection ID and you can then exclude the false positive detection. To do this, click Exploit not listed? and enter the ID.

Ransomware Protection (Windows)

You can exclude applications or folders from protection against ransomware.

For example, if you have an application that encrypts data, you might want to exclude it, or you might want to exclude folders used by backup applications.

For more information, see Ransomware Protection exclusions.

Ransomware Protection (Mac)

You can exclude applications or folders from protection against ransomware.

For example, you might exclude an application that encrypts data, or folders used by your backup applications.

For more information, see Ransomware Protection exclusions.

Device isolation (Windows/Mac/Linux)

You can allow isolated devices to have limited communications with other devices.

Choose whether isolated devices will use outbound or inbound communications, or both. You can then restrict communications.

For more information, see Device isolation exclusions.

Exploit Mitigation and Activity Monitoring (Windows)

You can exclude applications from protection against security exploits.

For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

For more information, see Exploit Mitigation and Activity Monitoring exclusions.

AMSI Protection (Windows)

You can exclude a file, folder, or drive by its full path. Code in this location isn't scanned. You can use the wildcard * for file name or extension.

Malicious Network Traffic Prevention (IPS) (Windows)

You can exclude specific network traffic from inspection.

Choose whether to exclude outbound or inbound traffic, then specify the address or ports the traffic uses.

Hashing exclusions (Windows)

You can exclude specific folders, files, or application processes to stop Sophos Event Journals and the Data Lake from generating file hashes for them.

Can't edit exclusions?

If you can't edit exclusions, do as follows:

• Check whether global settings have been applied by your partner or Enterprise administrator. This locks the settings. You can still stop detecting applications, exploits and ransomware from events.
• Check whether your administration role has access to both Endpoint Protection and Server Protection. See Add a custom role.