Global exclusions

You can exclude files, websites and applications from scanning for threats, as described below.

We'll still check the excluded items for exploits.

Note These exclusions will apply to all your users (and their devices) and servers. If you want them to apply only to certain users or servers, use the exclusions in Sophos Central Admin policies instead.

Customers won't be able to add to the Global exclusions list from Global Settings. They can add global exclusions from the events list. These are not added to the global exclusions list you can view and edit in Sophos Central Partner.

Global exclusions pushed from Sophos Central Partner are merged with the Sophos Central Admin list.

  1. In Global Settings, click Global exclusions.
  2. Click Add Exclusion (on the right of the page).
    The Add Exclusion dialog is displayed.
  3. In the Exclusion Type drop-down list, select a type of item to exclude (file or folder, website or potentially unwanted application).
  4. Specify the item or items you want to exclude. The following rules apply:
    • File or folder (Mac/Linux). You can exclude a folder or file. You can use the wildcards ? and *. Examples: /Volumes/excluded (Mac)/mnt/hgfs/excluded (Linux)
    • File or folder (Sophos Security VM). On Windows guest VMs protected by a Sophos security VM, you can exclude a drive, folder or file by full path. You can use the wildcards * and ? but only for file names.
    • Process (Windows). You can exclude any process running from an application. This also excludes files that the process uses (but only when they are accessed by that process). If possible, enter the full path from the application, not just the process name shown in Task Manager. Example: %PROGRAMFILES%\Microsoft Office\Office 14\Outlook.exe. You can use wildcards and variables.
      Note To see all processes or other items that you need to exclude for an application, see the application vendor's documentation.
    • Website. Websites can be specified as IP address, IP address range (in CIDR notation), or domain. Examples:
      • IP address:
      • IP address range:
      • The appendix /24 symbolizes the number of bits in the prefix common to all IP addresses of this range. Thus /24 equals the netmask 11111111.11111111.11111111.00000000. In our example, the range includes all IP addresses starting with 192.168.0.
      • Domain:
    • Potentially Unwanted Application. Here, you can exclude applications that are normally detected as spyware. Specify the exclusion using the same name under which it was detected by the system.
  5. For File or folder exclusions, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or for both.
  6. Click Add or Add Another. The exclusion is added to the exclusions list.

Stop detecting an exploit that's been detected

If an exploit is detected on an application but you're sure the detection is incorrect, you can stop it happening for all your customers.

This applies to all your users and computers.

To stop detecting an exploit, do as follows:

  1. In Sophos Central Admin, go to Computers or Servers, depending on where the application was detected.
  2. Find the device where the detection happened and click it to view its details.
  3. On the Events tab, find the detection event, and click Details.
  4. Copy the Detection ID.

    Example event details showing a Detection ID
  5. In Sophos Central Partner, go to Global Settings, click Global exclusions.
  6. Click Add Exclusion (on the right of the page).
  7. In the Exclusion Type drop-down list, select Detection ID and enter the Detection ID.
    This adds an exclusion for the Detection ID associated with this specific detection. If the same behavior occurs again on your estate, this doesn't trigger a detection. However, if the behavior is different, for example different paths or files, the Detection ID is different and requires a separate exclusion.
  8. Click Add or Add Another. The exclusion is added to the exclusions list.