Exploit prevention on server 2012 picking up on legitimate Excel macros - unable to whitelist

Question

hey, 
 user trying to run legitimate macros in Excel gets: 'Lockdown' exploit prevented in Microsoft Excel 
 now, we tried whitelisting in "detected exploits" but this comes up with a different ID each time its flagged. 
 what else can be done bar disabling exploit prevention for MS Office? 
 
 JT

DianneY · Accepted Answer

Hello JT 
 Since you said that the detection ID always changes, it would be hard to whitelist this via Central in the meantime. Can you please see if the Intercept X hotfix resolves the issue with the FP detections? 
 Sophos Central Intercept X, Central Server Intercept X Advanced and Sophos Exploit Prevention cumulative hotfix 
 If it does not fix, I would recommend to raise a support case for further review, with the following information, at the very least: 
 
 SDU Logs: Run SDU from the Endpoint OR Run SDU from Sophos Central (you can include the file name you have sent earlier to your request) 
 Enable Remote Assistance