Thread Info
  • State Not Answered
  • Replies 1 reply
  • Subscribers 13 subscribers
  • Views 511 views
  • Users 0 members are here
Options
Suggested

Sophos Central Application Control Policy does not verify user

Ken Lux

Hi,

I am setting up application control with Sophos Central, and ran into a few problems that have clumsy workarounds, but one that I don't know how to workaround is this.

Sophos Application Control only looks at the currently logged on user to determine if an application can start. For example, I have Powershell blocked in the base policy, and then added exceptions for some users to allow Powershell.

Here are the results of testing:

  1. Logged onto windows as a standard user, idle: Sophos periodically blocks Powershell
  2. Logged onto windows as a standard user, run Powershell as standard user: Sophos blocks it
  3. Logged onto windows as a standard user, run Powershell as excepted user (using runas or run as administrator): Sophos blocks it
  4. Logged onto windows as an excepted user, idle: No notification of Sophos blocking Powershell
  5. Logged onto windows as an excepted user, run Powershell as excepted user: Sophos allows it
  6. Logged onto windows as an excepted user, run Powershell as standard user (using runas): Sophos allows it

Of these, only behaviors (2), (4), and (5) are expected.

(1) was concerning at first, but I believe that these are system processes trying to run Powershell. Still investigating this, but concerning if legit scheduled tasks aren't allowed.

(3) and (6) appear to indicate that Sophos is deciding to block applications not based upon the user actually calling the application and is only using the logged-on user to determine if the application should be blocked or not.

(3) is inconvenient, but (6) would appear to be a big security hole. If an endpoint is infected with malware that Sophos is blocking from using Powershell because the logged-on user is not on the exception list, but then if an excepted user logs on to do maintenance then Powershell would no longer be blocked.

Is this expected behavior?

If so, it sounds like because of (1) and (6) that Application control should not be used on system applications.

Thanks,

Ken



Added Tags
[edited by: GlennSen at 3:02 AM (GMT -7) on 2 Apr 2024]
  • 0

    Application control works in real-time, i.e. blocks when the binary is mapped for execution. It can "find" applications on scheduled scans.

    If you have a process exclusion for the parent process, the client would not get detected.  E.g. If you have a process exclusion for cmd.exe, and from cmd.exe launch powershell.exe (which would typically be be blocked if set to) it will be allowed. Worth bearing in mind but process exclusions should be pretty rare.

    If you have a file/path exclusion for the "process" it will not get detected. E.g. "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" or "C:\Windows\System32\WindowsPowerShell\v1.0\" for example. Just to say that real-time exclusions affect app control.

    Only one policy is applied at a time, be it device or user. If user1 is logged on, it requires a status to be sent to Central to inform central that user1 is logged on, and it will send a policy for that user.  If user 2 logs on, a status will be sent to Central and it will send down a policy for that user.  There is no client side caching of policy for user so it is reliant on connectivity when switching users and the timely render of policy by Central. You can see a trail of incoming and outcoming messages in C:\ProgramData\Sophos\Management Communications System\Endpoint\Trail\

    $mcs_trail     = $env:ProgramData+"\Sophos\Management Communications System\Endpoint\Trail"
$messages_info = @()

Function Get-Direction([string]$base_name_of_file){
    if ($base_name_of_file -match "Policy" -or $base_name_of_file -match "Command" ){
        return "From-Central"
    }
    else {
        return "To-Central"
    }
}

Get-ChildItem $mcs_trail -Filter "*.xml" | ForEach-Object {

    [xml]$message = Get-Content $_.FullName -Raw

    $messages_info  += [PSCustomObject]@{
        CreationTime = $message.persist.creationTime   
        Direction    = Get-Direction($_.BaseName)
        Name         = $message.persist.name 
        Type         = $($_.BaseName -split "-")[2]
        FileName     = $_.BaseName  
    }
}

$messages_info | Sort-Object CreationTime -Descending | Out-GridView -Title "Sophos MCS Events"

    Maybe these points help.

Unfiltered HTML