Endpoint Detection & Response: Allow Application


When Sophos classifies an application is
malicious, and it’s made a mistake it’s called the false-positive. There’s a
variety of mechanisms to suppress these types of detections. One of the most
common is available directly from the event details where you can choose to
allow an application by its Sha-256 unique identifier, the signing
certificate, or the file name and path. For exploits we also allow suppression
of exploit detection by exploit type. Let me show you what that looks like in the
console. So we have a number of detections here where malware has been
found this one here, dropper.exe has been classified as malware. Going to the
details I can choose to allow this application. If I knew it was developed
by my internal IT department, that it’s not being classified as malware by other
softened Sophos product capabilities, or by other security vendors, I may want to
allow it directly by its sha-256. I may need to allow it by file name and
path if it’s an executable that changes frequently. If it’s an internal
application hopefully I’ve signed it and I could allow it by signing certificate.
Similarly if the software manufacturer has signed the code you could allow this
application and other codes signed with the same certificate to be suppressed from
any malware detections. When you go to add it as an application that’s being
suppressed, we request that you provide some additional information to Sophos to
make our products better. You don’t have to, but you can provide some comments and
all of this information will flow back to Sophos so that we can improve our
products. If the detection was through an exploit, a slightly different exclusion
mechanism is available. You can simply exclude it by the unique detection ID so
the detection ID is made available in this case we’ve detected this executable
is performing a ransomware behavior. If we wanted to suppress that ransomware
detection we could add it here ,and again provide some comments. Protection against other exploit
techniques like keep, spray, stack, pivot privilege escalation, are still going to
be applied. You’re only turning off the ransomware detection for this executable.
If you’ve classified something as malware if malware rather has been
classified as legitimate applications and you’ve made a mistake and you need
to undo that, you can go to your list of allowed applications and remove it from
the list. Going forward this will be treated as malware, and it’ll be cleaned
up the next time we see it executing, or the next time the scan is performed on
the device.

Leave a Reply

Your email address will not be published. Required fields are marked *