This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control - IRFANVIEW not working

Hi, the following app IRFANVIEW is part of the app control list but when i select for it to be blocked, the endpoint still allows the application.

can this be looked into thank you.



This thread was automatically locked due to age.
Parents
  • When testing APPC, I tend to use the SophosSAVICLI.exe just to see if it's detected:

    e.g.

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

    The directories will differ but they key thing is the -controlled switch.

    As a test:

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\Internet Explorer\iexplore.exe"
    ...
    'AppC/IE11-Gen' found in file C:\Program Files\Internet Explorer\iexplore.exe

    So as you'd expect iexplore.exe is detected by Application control as AppC/IE11-Gen.

    Usually an application control identity, detects both the installer and the app. In this case, though I can't see to get any of the files from:
    https://www.fosshub.com/IrfanView.html? to be detected, be it the installer, the main exe for the last few older versions.

    I would raise a ticket with Support as it should be detected given you can select it in policy.  

    https://support.sophos.com/support/s/filesubmission?language=en_US should also work (I get an answer) but might be slower?

    This would detected using the CLI regardless of policy: So even if you've sent a policy to block this app, e.g. at the client: app_control_blocked_app_list under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ApplicationControl\[latestrevision]\ contains: IrfanView.

    Hope it help. Thanks.

Reply
  • When testing APPC, I tend to use the SophosSAVICLI.exe just to see if it's detected:

    e.g.

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

    The directories will differ but they key thing is the -controlled switch.

    As a test:

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\Internet Explorer\iexplore.exe"
    ...
    'AppC/IE11-Gen' found in file C:\Program Files\Internet Explorer\iexplore.exe

    So as you'd expect iexplore.exe is detected by Application control as AppC/IE11-Gen.

    Usually an application control identity, detects both the installer and the app. In this case, though I can't see to get any of the files from:
    https://www.fosshub.com/IrfanView.html? to be detected, be it the installer, the main exe for the last few older versions.

    I would raise a ticket with Support as it should be detected given you can select it in policy.  

    https://support.sophos.com/support/s/filesubmission?language=en_US should also work (I get an answer) but might be slower?

    This would detected using the CLI regardless of policy: So even if you've sent a policy to block this app, e.g. at the client: app_control_blocked_app_list under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ApplicationControl\[latestrevision]\ contains: IrfanView.

    Hope it help. Thanks.

Children