Application Control - IRFANVIEW not working

Hi Ricardo,

Thanks for reaching out to the Sophos Community Forum. 

I'd suggest sending in an Application Control Request for the app in question. If the app version has changed recently, Sophos Labs may not have the latest version categorized. 

You can submit an Application Control request from the following page: 
- Submit a Sample

If you are testing by logging in with a user account that has the app allowed and then re-logging with an account that has the app blocked, I'd suggest verifying that the latest policy has been received on the device using the "Endpoint Self Help" tool prior to launching the app, to verify if the policy just hasn't applied in time. 

When testing APPC, I tend to use the SophosSAVICLI.exe just to see if it's detected:

e.g.

&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

The directories will differ but they key thing is the -controlled switch.

As a test:

&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\Internet Explorer\iexplore.exe"
...
'AppC/IE11-Gen' found in file C:\Program Files\Internet Explorer\iexplore.exe

So as you'd expect iexplore.exe is detected by Application control as AppC/IE11-Gen.

Usually an application control identity, detects both the installer and the app. In this case, though I can't see to get any of the files from:
https://www.fosshub.com/IrfanView.html? to be detected, be it the installer, the main exe for the last few older versions.

I would raise a ticket with Support as it should be detected given you can select it in policy.  

https://support.sophos.com/support/s/filesubmission?language=en_US should also work (I get an answer) but might be slower?

This would detected using the CLI regardless of policy: So even if you've sent a policy to block this app, e.g. at the client: app_control_blocked_app_list under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ApplicationControl\[latestrevision]\ contains: IrfanView.

Hope it help. Thanks.

It doesn't appear to be a new one, i.e. the data feed has it for the policy but the EP hasn't caught up:
https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications

It has the page: https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/IrfanView 

 Application Control  contains the notifications and I don't see it listed in any of the recent notifications.  Given the age of the app, I assume it's quite an old identity?

I went back to iview451_x64_setup.exe, the installer wasn't detected but the main exe then was:

&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

'AppC/Irfan-Gen' found in file C:\Program Files\IrfanView\i_view64.exe

So it looks like the generic identity needs an update.