2 votesKarl commented
Today sophos will detect a executable launched from the temp directory or other suspect location. This as an indicator of compromise is taken into account when detecting malicious activity.
The ability to specifically prevent execution of code (EXE, DLL, JS, JBS, etc..) from select directories like $TEMP, or other commonly used workspaces where malware is often dropped is not currently available. This approach of creating a black list execution location with a white list for authorized business applications is under evaluation as part of the ongoing improvements for the endpoint protection software but is not in any committed roadmap.