This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Controlled/blocked applications are showing up in the list of Allowed Applications - Sophos Central.

I am testing the Sophos endpoint protection EAP, and have synchronized application control enabled. I am having an issue, where all the controlled application that are set to blocked are showing up as allowed, even applications I do not use, such as remote desktop, SSH, TightVNC, proxies ect.

How can these applications be blocked, and also frequently allowed the same time? i do not use any of the programs. Also, I have wireshark blocked, and the Endpoint Security informs me that it was blocked, but it not showing up in the list of blocked applications in Sophos Central.



This thread was automatically locked due to age.
Parents
  • Hi alan,

    Thanks for reaching out to the Sophos Community Forum. 

    Is it possible that some of the applications you're using leverage some of these other executables in the background? 

    I will reach out to you via private message as well, so I may look into your Sophos Central environment. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • for testing, I tried to open Wireshark, and it was blocked as expected, giving me an alert in the Endpoint Protection, and a log in Sophos Central.

    I can't think of any program I an using that could be using these remote access tools. I have strictly blocked all Proxy/tunnel/P2P applications in the firewall's App filter too. And even then the firewall is reporting all sorts of proxy apps being blocked on my network (psiphon, hide.Me, Tunello, ect.) 

  • Thank you for providing me with access via PM. The reason you are seeing entries in the "Allowed Applications" report is due to the Application Control Policy setting "Detect controlled applications during scheduled and on-demand scans".

    When the scan occurs, blocked applications will be detected but won't be blocked as they are not "running". 
    When you run a blocked application, it will be detected and blocked right away.

    This is made evident by checking the "Events" report from the main dashboard's Logs & Events menu. 

    - From the main dashboard, select "Logs & Events"
    - Open the Events Report
    - Select "Application Control Events" and "Protection Issues" in the event type selector (this includes the event "Full system scan initiated")
    - Click Update on the upper right-hand side of the page

    Regarding the results you're seeing on the Firewall, checking some of the discussions on the Sophos Firewall page may help, though I'd suggest raising another thread so the knowledgeable folks over there can assist you as well. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Thank you for providing me with access via PM. The reason you are seeing entries in the "Allowed Applications" report is due to the Application Control Policy setting "Detect controlled applications during scheduled and on-demand scans".

    When the scan occurs, blocked applications will be detected but won't be blocked as they are not "running". 
    When you run a blocked application, it will be detected and blocked right away.

    This is made evident by checking the "Events" report from the main dashboard's Logs & Events menu. 

    - From the main dashboard, select "Logs & Events"
    - Open the Events Report
    - Select "Application Control Events" and "Protection Issues" in the event type selector (this includes the event "Full system scan initiated")
    - Click Update on the upper right-hand side of the page

    Regarding the results you're seeing on the Firewall, checking some of the discussions on the Sophos Firewall page may help, though I'd suggest raising another thread so the knowledgeable folks over there can assist you as well. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
  • Ok, that explains why they are detected, but the thing that really irritates me is that when doing the Scan, Endpoint Protection Agent logs do no not mention these controlled applications were found anywhere, or where they are located. I have searched my PC's drives and Windows registry for "TightVNC" and and have no results at all, yet Sophos keeps finding it after every scan. 

    Where is this TightVNC located that it keeps finding among all the other remote access tools that I have not even installed?

    I installed Wireshark, which includes Nmap and Winpcap as an add-on, but the TightVNC and psiphon3 thing is really perplexing.

  • Our tenant is flagging TightVNC as well; not sure where this is coming from.

  • I tested this a bit further and found relevant logs in the following location. Let me know if searching this logfile for the name of the app in question helps you find the relevant files that are triggering the detection.

    - C:\ProgramData\Sophos\Endpoint Defense\Logs\SSP.log 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids