This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control - IRFANVIEW not working

Hi, the following app IRFANVIEW is part of the app control list but when i select for it to be blocked, the endpoint still allows the application.

can this be looked into thank you.



This thread was automatically locked due to age.
  • Hi Ricardo,

    Thanks for reaching out to the Sophos Community Forum. 

    I'd suggest sending in an Application Control Request for the app in question. If the app version has changed recently, Sophos Labs may not have the latest version categorized. 

    You can submit an Application Control request from the following page: 
    - Submit a Sample

    If you are testing by logging in with a user account that has the app allowed and then re-logging with an account that has the app blocked, I'd suggest verifying that the latest policy has been received on the device using the "Endpoint Self Help" tool prior to launching the app, to verify if the policy just hasn't applied in time. 

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • When testing APPC, I tend to use the SophosSAVICLI.exe just to see if it's detected:

    e.g.

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

    The directories will differ but they key thing is the -controlled switch.

    As a test:

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\Internet Explorer\iexplore.exe"
    ...
    'AppC/IE11-Gen' found in file C:\Program Files\Internet Explorer\iexplore.exe

    So as you'd expect iexplore.exe is detected by Application control as AppC/IE11-Gen.

    Usually an application control identity, detects both the installer and the app. In this case, though I can't see to get any of the files from:
    https://www.fosshub.com/IrfanView.html? to be detected, be it the installer, the main exe for the last few older versions.

    I would raise a ticket with Support as it should be detected given you can select it in policy.  

    https://support.sophos.com/support/s/filesubmission?language=en_US should also work (I get an answer) but might be slower?

    This would detected using the CLI regardless of policy: So even if you've sent a policy to block this app, e.g. at the client: app_control_blocked_app_list under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ApplicationControl\[latestrevision]\ contains: IrfanView.

    Hope it help. Thanks.

  • It doesn't appear to be a new one, i.e. the data feed has it for the policy but the EP hasn't caught up:
    https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications

    It has the page: https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/IrfanView 

     Application Control  contains the notifications and I don't see it listed in any of the recent notifications.  Given the age of the app, I assume it's quite an old identity?

    I went back to iview451_x64_setup.exe, the installer wasn't detected but the main exe then was:

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

    'AppC/Irfan-Gen' found in file C:\Program Files\IrfanView\i_view64.exe

    So it looks like the generic identity needs an update.