Below is a part of our discussion with Sophos - adding exclusions seems to be their position on cases like this.
- Sophos continuously improves its detection capabilities to enhance protection against new and emerging threats. As part of these updates, detection logic may be strengthened or newly introduced. This can sometimes result in legitimate applications being flagged if their behavior matches known exploit techniques.
- Additionally, if the application (such as Altera Quartus Prime Pro) performs actions that resemble exploit techniques or if certain components of the application are considered vulnerable, Sophos may begin monitoring or blocking those behaviors.
- Some legitimate applications perform low-level operations (e.g., DLL loading behavior, memory manipulation, command execution, or dynamic code execution) that are similar to techniques used by malware.
- In such cases, Sophos detects the behavior as a potential exploit, which may use advanced system-level operations as part of its normal functionality, even if the application itself is trusted. When you add an exploit or process exclusion Sophos stops monitoring or blocking those specific behaviors for that application. This prevents the Sophos endpoint agent from triggering alerts or blocking execution.