Skip to content

Allowed applications

You can see applications that you have allowed to run on your computers.

Go to Global Settings > Allowed Applications.

You can see applications that you have allowed to run on your endpoint computers.

The page shows where the application was originally detected (if applicable) and how it was allowed.

About allowed applications

Our software detects threats that are previously unknown. However, it may sometimes identify an application as a threat, even though you know that it’s safe. When this happens, you can “allow” the application. This does as follows:

  • Prevents this detection from happening again.
  • Restores all copies that have been cleaned up (removed from computers).

Alternatively, you can allow an application in advance, so that it won't be detected when you install it for users.


Think carefully before you allow applications because it reduces your protection.


If an option is locked global settings have been applied by your partner or Enterprise administrator. You can still stop detecting applications, exploits and ransomware by going to the events list.

Allow an application that's been detected

Only allow an application if you know it's safe. For help deciding, see How to investigate and resolve a potential False Positive or Incorrect Detection.

To allow an application that Sophos has detected and removed, do as follows.

Note that:

  • This allows the application for all computers and users.
  • This allows the application to run and excludes it from further threat detections. However, we'll still check it for exploits, ransomware, and malicious behavior when it's running.

  • Go to Devices.

  • Go to the Computers or Servers page, depending on where the application was detected.
  • Find the computer where the detection happened and click on it to view its details.
  • On the Events tab, find the detection event and click Details.
  • In the Event details dialog, look under Allow this application.
  • Select the method of allowing the application:

    Available methods vary by platform.

    • Certificate: This is recommended. It also allows other applications with the same certificate.
    • SHA-256: This allows this version of the application. However, if the application is updated, it could be detected again.
    • Path: This allows the application as long as it's installed in the path (location) shown. You can edit the path (now or later) and you can use variables if the application is installed in different locations on different computers.
  • Click Allow.

Edit the path for an allowed application

You can change the path that you specified when you allowed an application.

  1. On the Allowed Applications page, find the application. The current path is shown in the details.
  2. Click the edit icon (the pen) on the far right of the page.

    Blue pen.

  3. In the Edit path dialog, enter the new path.

When you edit a path, details of the original detection (user, computer and path) are removed from the list.

We display paths in Windows format, even if you enter them in Linux format. For example, if you enter /var/files we show it as \var\files.

Start detecting an application again

If you want Sophos to start detecting and removing an application again, you remove it from the Allowed Applications list.

Select the application and click Remove (in the upper right of the page).