Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=detection-stop-exploit

Stop detecting an exploit

You can exclude an application from exploit detection, either in response to a detection or in advance of any detection.

Warning

Think carefully before you add exclusions because it reduces your protection.

You can set exclusions for a specific event, a specific exploit, or all exploits associated with an application.

If you want to exclude applications from exploit protection for some users or devices you can do this using an Endpoint Threat Protection policy, see Threat Protection Policy.

If you want to exclude applications from exploit protection for some servers you can do this using a Server Threat Protection policy, see Server Threat Protection Policy.

As adding exclusions reduces your protection, we recommend that you use policies to target users and devices where the exclusion is necessary rather than using the exclusion options that apply to all your users and their devices.

Stop detecting an exploit that's been detected (using events list)

If an exploit is detected on an application, but you're sure the detection is incorrect, you can stop it happening again using options available in your events list.

This applies to all your users and computers.

As adding exclusions reduces your protection, we recommend that you use policies to target users and devices where the exclusion is necessary rather than using this global option.

To stop detecting an exploit, do as follows:

  1. Go to Devices > Computers or Servers, depending on where the application was detected.
  2. Find the computer where the detection happened and click it to view its details.
  3. On the Events tab find the detection event, and click Details.

  4. In Event details, look for Don't detect this again and select an option:

    • Exclude this Detection ID from checking. prevents this detection on this application. It adds an exclusion for the Detection ID associated with this specific detection. If the same behavior occurs again on your estate, this doesn't trigger a detection. However, if the behavior is different, for example different paths or files, the Detection ID is different and requires a separate exclusion.
    • Exclude this mitigation from checking this application. prevents any checks for this exploit on this application. This increases the risk of an attack. However, it can be useful where specific business applications generate many unexpected detections.
    • Exclude this application from checking. prevents any checks for any exploits on this application. This carries the most risk, and therefore you should only use this as a last resort.

    • Try excluding the Detection ID first, as that is better targeted. If the same detection happens again, exclude the exploit. If the same detection still happens, exclude the application.

      "Event details", showing a StackExec detection type on an application.

  5. Click Exclude.

We'll add your exclusion to a list.

Detection ID exclusions go into the Global Exclusions. Application exclusions go into the Exploit Mitigation Exclusions.

Stop detecting an exploit that's been detected (using policy settings)

If an exploit is detected on an application, but you're sure the detection is incorrect, you can stop it happening again by using options available in the threat protection policy.

You can also use a threat protection policy to exclude Windows applications from protection against security exploits.

Adding exclusions reduces your protection. We recommend that you use policies to add exploit mitigation exclusions because you can target them to specific users and devices. You can assign the policy only to those users and devices where the exclusion is necessary.

If you use a policy to stop detecting an exploit, we'll continue to check for other exploits that affect this application.

To stop detecting the exploit, do as follows:

  1. Go to My Products > Endpoint or Server.
  2. In Policies, find the Threat Protection policy that applies to the devices.
  3. Under Settings, find Exclusions and click Add Exclusion.
  4. In the Exclusion Type box, select Detected Exploits (Windows/Mac).
  5. Select the exploit and click Add.
  6. Check that the policy is assigned to the appropriate users and devices.

You can also use a policy to stop detecting exploits on all applications of a specific type. To do this, go to the threat protection policy and turn off exploit mitigation (which is under Runtime Protection) for that application type.

Warning

We don't recommend turning off exploit mitigation.

Stop checking for a specific exploit on an application

Suppose a detection has not occurred for an application, but it has been identified that the application needs to be excluded from a specific mitigation. In that case, you can proactively stop checking for a specific exploit.

If you use this method, we'll continue to check for other exploits that affect this application.

As adding exclusions reduces your protection, we recommend that you use policies to target users and devices where the exclusion is necessary rather than using this global option.

To stop checking for a specific exploit, do as follows:

  1. Go to My Products > General Settings > Global Exclusions.
  2. Click Add Exclusion.
  3. Under Exclusion Type, select Exploit Mitigation (Windows).

  4. In the application list, select the application that you want to exclude.

    1. If it's not listed, click Application not listed?. Under Exclude Application By Path, enter the full path of the application.

      "Add Exclusion" showing a list of protected applications.

  5. Under Mitigations, turn off the mitigation from which you want to exclude the application.

    "Mitigations" showing a list of mitigations that are turned on for the application.

  6. Click Add.

  7. Click Save.

Stop checking for all exploits on an application

If an application generates many unexpected exploit detections or suffers from performance issues when exploiting mitigation is turned on, you can stop checking for all exploits on the application.

If you use this method, we won't check the application for exploits but will still check it for ransomware behavior and for malware.

As adding exclusions reduces your protection, we recommend that you use policies to target users and devices where the exclusion is necessary rather than using this global option.

To stop checking for all exploits on an application, do as follows:

  1. Go to My Products > General Settings > Global Exclusions.
  2. Click Add Exclusion.
  3. Under Exclusion Type, select Exploit Mitigation (Windows).

  4. In the application list, select the application that you want to exclude.

    1. If it's not listed, click Application not listed?.

    2. Under Exclude Application By Path, enter the full path of the application.

      "Add Exclusion" showing a list of protected applications.

  5. Under Mitigations, turn off Protect Application.

    "Mitigations" showing "Protect Application" option.

  6. Click Add.

  7. Click Save.