How to roll out an exploit prevention policy

Vulnerable applications are protected by default. You should be careful when excluding applications from exploit prevention. They will still be protected by CryptoGuard and Safe Browsing.

We recommend that you roll out an exploit prevention policy as follows:

  1. All exploit prevention options are turned on by default. We recommend that you use the default settings. You should monitor any exploit prevention events for a period of time before altering the settings.
  2. Use the Exploit Prevention Event Viewer to monitor any exploit prevention events. You can access the Event Viewer by clicking Events > Exploit Prevention Events.
  3. Amend the exploit prevention policy based on your monitoring. For example you may want to exclude some applications or exploit events from exploit mitigation. For more information see the Sophos Enterprise Consolehelp.
    Caution For increased security, we recommend that you base the exclusion on the thumbprint of the exploit event rather than excluding the whole application.
    1. Create a new policy or amend the default policy.
    2. Check for any weaknesses in the policy.
    3. Where needs differ, subdivide the group and create extra policies as needed.
  4. Assign your policies as required.