Hi, the following app IRFANVIEW is part of the app control list but when i select for it to be blocked, the endpoint still allows the application.
can this be looked into thank you.
This thread was automatically locked due to age.
Hi, the following app IRFANVIEW is part of the app control list but when i select for it to be blocked, the endpoint still allows the application.
can this be looked into thank you.
When testing APPC, I tend to use the SophosSAVICLI.exe just to see if it's detected:
e.g.
&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"
The directories will differ but they key thing is the -controlled switch.
As a test:
&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\Internet Explorer\iexplore.exe"
...
'AppC/IE11-Gen' found in file C:\Program Files\Internet Explorer\iexplore.exe
So as you'd expect iexplore.exe is detected by Application control as AppC/IE11-Gen.
Usually an application control identity, detects both the installer and the app. In this case, though I can't see to get any of the files from:
https://www.fosshub.com/IrfanView.html? to be detected, be it the installer, the main exe for the last few older versions.
I would raise a ticket with Support as it should be detected given you can select it in policy.
https://support.sophos.com/support/s/filesubmission?language=en_US should also work (I get an answer) but might be slower?
This would detected using the CLI regardless of policy: So even if you've sent a policy to block this app, e.g. at the client: app_control_blocked_app_list under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ApplicationControl\[latestrevision]\ contains: IrfanView.
Hope it help. Thanks.
When testing APPC, I tend to use the SophosSAVICLI.exe just to see if it's detected:
e.g.
&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"
The directories will differ but they key thing is the -controlled switch.
As a test:
&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\Internet Explorer\iexplore.exe"
...
'AppC/IE11-Gen' found in file C:\Program Files\Internet Explorer\iexplore.exe
So as you'd expect iexplore.exe is detected by Application control as AppC/IE11-Gen.
Usually an application control identity, detects both the installer and the app. In this case, though I can't see to get any of the files from:
https://www.fosshub.com/IrfanView.html? to be detected, be it the installer, the main exe for the last few older versions.
I would raise a ticket with Support as it should be detected given you can select it in policy.
https://support.sophos.com/support/s/filesubmission?language=en_US should also work (I get an answer) but might be slower?
This would detected using the CLI regardless of policy: So even if you've sent a policy to block this app, e.g. at the client: app_control_blocked_app_list under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ApplicationControl\[latestrevision]\ contains: IrfanView.
Hope it help. Thanks.
It doesn't appear to be a new one, i.e. the data feed has it for the policy but the EP hasn't caught up:
https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications
It has the page: https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/IrfanView
Application Control contains the notifications and I don't see it listed in any of the recent notifications. Given the age of the app, I assume it's quite an old identity?
I went back to iview451_x64_setup.exe, the installer wasn't detected but the main exe then was:
&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"
'AppC/Irfan-Gen' found in file C:\Program Files\IrfanView\i_view64.exe
So it looks like the generic identity needs an update.