Skip to content

Global exclusions

You can exclude files, websites and applications from scanning for threats, as described below. You can also exclude by Detection ID.

We'll still check the excluded items for exploits.

Note

These exclusions apply to all your users (and their devices) and servers. If you want them to apply only to certain users or servers, use the exclusions in Sophos Central Admin policies instead.

Warning

Think carefully before you add exclusions because it reduces your protection.

Customers won't be able to add to the Global exclusions list from Global Settings. They can add global exclusions from the events list. These are not added to the global exclusions list you can view and edit in Sophos Central Partner.

Global exclusions pushed from Sophos Central Partner are merged with the Sophos Central Admin list.

  1. In Global Settings, click Global exclusions.

  2. Click Add Exclusion (on the right of the page). The Add Exclusion dialog is displayed.

  3. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website or potentially unwanted application).

  4. Specify the item or items you want to exclude. The following rules apply:

    • File or folder (Mac/Linux): You can exclude a folder or file. You can use the wildcards ? and *. Examples: /Volumes/excluded (Mac)``/mnt/hgfs/excluded (Linux)

    • File or folder (Sophos Security VM): On Windows guest VMs protected by a Sophos security VM, you can exclude a drive, folder or file by full path. You can use the wildcards * and ? but only for file names.

    • Process (Windows): You can exclude any process running from an application. This also excludes files that the process uses (but only when they are accessed by that process). If possible, enter the full path from the application, not just the process name shown in Task Manager. Example: %PROGRAMFILES%\Microsoft Office\Office 14\Outlook.exe. You can use wildcards and variables.

      Note

      To see all processes or other items that you need to exclude for an application, see the application vendor's documentation.

    • Website: Websites can be specified as IP address, IP address range (in CIDR notation), or domain. Examples:

      • IP address: 192.168.0.1

      • IP address range: 192.168.0.0/24

      • The appendix /24 symbolizes the number of bits in the prefix common to all IP addresses of this range. Thus /24 equals the netmask 11111111.11111111.11111111.00000000. In our example, the range includes all IP addresses starting with 192.168.0.

      • Domain: google.com

    • Potentially Unwanted Application: Here, you can exclude applications that are normally detected as spyware. Specify the exclusion using the same name under which it was detected by the system.

    • Device isolation (Windows): You can allow isolated devices to have limited communications with other devices. Choose whether isolated devices will use outbound or inbound communications, or both. You can then restrict communications.

  5. For File or folder exclusions, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or for both.

  6. Click Add or Add Another. The exclusion is added to the exclusions list.

Detection ID

You can copy a Detection ID from a detection event in Sophos Central Admin. You can then create an exclusion in Sophos Central Partner that applies to your users' devices.

Adding an exclusion prevents this detection on this application. It adds an exclusion for the Detection ID associated with this specific detection. If the same behavior occurs again on your users' devices, this doesn't trigger a detection. However, if the behavior is different, for example different paths or files, the Detection ID is different and requires a separate exclusion.

To create an exclusion, do as follows:

  1. In Sophos Central Admin, go to Overview > Devices > Computers and click the computer you want to view details for.

  2. Click Events to see the events detected on the computer.

  3. Copy the Detection ID from the detection event you want to exclude.

  4. In Sophos Central Partner, go to Global Settings.

  5. Click Global exclusions.

  6. Click Add Exclusion (on the right of the page).

    The Add Exclusion dialog is displayed.

  7. In the Exclusion Type drop-down list, select Detection ID.

  8. Paste the Detection ID you copied in Sophos Central Admin.

  9. Click Add or Add Another.

    The exclusion is added to the exclusions list.