Controlled/blocked applications are showing up in the list of Allowed Applications - Sophos Central.

Hi alan,

Thanks for reaching out to the Sophos Community Forum. 

Is it possible that some of the applications you're using leverage some of these other executables in the background? 

I will reach out to you via private message as well, so I may look into your Sophos Central environment. 

for testing, I tried to open Wireshark, and it was blocked as expected, giving me an alert in the Endpoint Protection, and a log in Sophos Central.

I can't think of any program I an using that could be using these remote access tools. I have strictly blocked all Proxy/tunnel/P2P applications in the firewall's App filter too. And even then the firewall is reporting all sorts of proxy apps being blocked on my network (psiphon, hide.Me, Tunello, ect.) 

Thank you for providing me with access via PM. The reason you are seeing entries in the "Allowed Applications" report is due to the Application Control Policy setting "Detect controlled applications during scheduled and on-demand scans".

When the scan occurs, blocked applications will be detected but won't be blocked as they are not "running". 
When you run a blocked application, it will be detected and blocked right away.

This is made evident by checking the "Events" report from the main dashboard's Logs & Events menu. 

- From the main dashboard, select "Logs & Events"
- Open the Events Report
- Select "Application Control Events" and "Protection Issues" in the event type selector (this includes the event "Full system scan initiated")
- Click Update on the upper right-hand side of the page

Regarding the results you're seeing on the Firewall, checking some of the discussions on the Sophos Firewall page may help, though I'd suggest raising another thread so the knowledgeable folks over there can assist you as well. 

Ok, that explains why they are detected, but the thing that really irritates me is that when doing the Scan, Endpoint Protection Agent logs do no not mention these controlled applications were found anywhere, or where they are located. I have searched my PC's drives and Windows registry for "TightVNC" and and have no results at all, yet Sophos keeps finding it after every scan. 

Where is this TightVNC located that it keeps finding among all the other remote access tools that I have not even installed?

I installed Wireshark, which includes Nmap and Winpcap as an add-on, but the TightVNC and psiphon3 thing is really perplexing.

Our tenant is flagging TightVNC as well; not sure where this is coming from.

I tested this a bit further and found relevant logs in the following location. Let me know if searching this logfile for the name of the app in question helps you find the relevant files that are triggering the detection.

- C:\ProgramData\Sophos\Endpoint Defense\Logs\SSP.log