Skip to content

Global Exclusions

You can exclude files, websites and applications from scanning for threats.

You use exclusions to tune the detection behavior of Sophos Central. For more information on how we detect threats see Sophos Threat Center.

Exclusions

Global exclusions apply to all your users (and their devices) and servers.

If you want exclusions to apply only to certain users or servers, use policy exclusions instead.

You can set up the following types of exclusion:

  • Exclude files or folders from scanning.

    If you exclude files from scanning, we'll still check the excluded items for exploits.

  • Exclude from checking any process that runs from an application (Windows).

  • Exclude websites from checking (Windows/Mac).
  • Exclude applications from protection against security exploits (Windows/Mac).
  • Exclude applications that are normally detected as spyware and previously detected exploits from scanning and detection (Windows/Mac).
  • Exclude previously detected malicious behavior exploits (Windows).
  • Exclude folders or applications from ransomware protection (Windows/Mac).

You can also use exclusions to allow isolated devices to communicate with other devices under restrictions.

Warning

Think carefully before you add global exclusions because doing so may reduce your protection. See Using exclusions safely.

For more information on setting up exclusions and the variables and wildcards you can use see the following:

Can’t edit the exclusions?

If you can't edit exclusions, check the following:

  • If an option is locked, global settings have been applied by your partner or Enterprise administrator. You can still stop detecting applications, exploits and ransomware from events.
  • Check if your administration role has access to both Endpoint and Server protection. See Add a custom role.

Exploit exclusions

If you exclude files from scanning, we'll still check the excluded items for exploits. If you want exclusions from exploit checking, do as follows:

  • To stop checking for an exploit that has been detected, use a Detected Exploits (Windows/Mac) exclusion.
  • To exclude certain applications from checking, use an Exploit Mitigation And Activity Monitoring (Windows) exclusion.

See also Exploit mitigation exclusions.

Set up exclusions

You can exclude files, websites and applications from scanning for threats.

To set exclusions:

  1. Go to My Products > General Settings > Global Exclusions.
  2. Click Add Exclusion. The Add Exclusion dialog is displayed.
  3. In the Exclusion Type drop-down list select what you want to exclude.
  4. Specify the item or items you want to exclude.

    • File or folder (Windows). You can exclude a drive, folder or file by full path.

      You can use the wildcard * for file name or extension but *.* is not valid.

    • File or folder (Mac/Linux). You can exclude a folder or file. You can use the wildcards ? and *.

    • Process (Windows). You can exclude any process running from an application. This also excludes files that the process uses (but only when they are accessed by that process). If possible, enter the full path from the application.
    • Website (Windows/Mac). You can specify websites for exclusion using IP address, IP address range (in CIDR notation), or domain.

      If you exclude a website, we don't check the category of the website and it's excluded from web control protection.

    • Potentially Unwanted Application (Windows/Mac/Linux). You can exclude applications that are normally detected as spyware. Specify the exclusion using the same name under which the system detected it, for example "PsExec" or "Cain n Abel". Find more information about PUAs in the Sophos Threat Center.

      Think carefully before you add PUA exclusions because doing so may reduce your protection.

    • Detected Exploits (Windows/Mac). You can exclude any exploit that has already been detected. We'll no longer detect it for the affected application and no longer block the application.

      You can also exclude detected exploits using a detection ID. You can use this option if you're working with Sophos Support to resolve a false positive detection. Sophos Support can give you a detection ID and you can then exclude the false positive detection. To do this, click Exploit not listed? and enter the ID.

    • Device isolation (Windows/Mac/Linux). You can allow isolated devices to have limited communications with other devices.

      Choose whether isolated devices will use outbound or inbound communications, or both. You can then restrict communications.

    • Malicious Network Traffic Prevention (IPS) (Windows). You can exclude specific network traffic from inspection.

      Choose whether to exclude outbound or inbound traffic. Then specify the address or ports the traffic uses.

    • Exploit Mitigation and Activity Monitoring (Windows). You can exclude applications from protection against security exploits.

      For example, you might want to exclude an application that is incorrectly detected as a threat until the problem has been resolved.

    • AMSI Protection (Windows). You can exclude a drive, folder or file by full path. Code in this location is not scanned. You can use the wildcard * for file name or extension.

    • Ransomware Protection (Windows). You can exclude applications or folders from protection against ransomware.

      For example, if you have an application that encrypts data, you might want to exclude it or you might want to exclude folders used by backup applications.

    • Ransomware Protection (Mac). You can exclude applications or folders from protection against ransomware.

      For example, if you have an application that encrypts data, you might want to exclude it or you might want to exclude folders used by backup applications.

  5. For File or folder exclusions, in the Active for drop-down list, specify if the exclusion should be valid for real-time scanning, for scheduled scanning, or for both.

  6. Click Add or Add Another. The exclusion is added to the scanning exclusions list.

To edit an exclusion later, click its name in the exclusions list, enter new settings and click Update.