Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 14 subscribers
  • Views 11820 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control - IRFANVIEW not working

Ricardo Hartzenberg

Hi, the following app IRFANVIEW is part of the app control list but when i select for it to be blocked, the endpoint still allows the application.

can this be looked into thank you.



This thread was automatically locked due to age.
Parents
  • 0

    When testing APPC, I tend to use the SophosSAVICLI.exe just to see if it's detected:

    e.g.

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

    The directories will differ but they key thing is the -controlled switch.

    As a test:

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\Internet Explorer\iexplore.exe"
    ...
    'AppC/IE11-Gen' found in file C:\Program Files\Internet Explorer\iexplore.exe

    So as you'd expect iexplore.exe is detected by Application control as AppC/IE11-Gen.

    Usually an application control identity, detects both the installer and the app. In this case, though I can't see to get any of the files from:
    https://www.fosshub.com/IrfanView.html? to be detected, be it the installer, the main exe for the last few older versions.

    I would raise a ticket with Support as it should be detected given you can select it in policy.  

    https://support.sophos.com/support/s/filesubmission?language=en_US should also work (I get an answer) but might be slower?

    This would detected using the CLI regardless of policy: So even if you've sent a policy to block this app, e.g. at the client: app_control_blocked_app_list under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ApplicationControl\[latestrevision]\ contains: IrfanView.

    Hope it help. Thanks.

  • 0 in reply to Sophos User930

    It doesn't appear to be a new one, i.e. the data feed has it for the policy but the EP hasn't caught up:
    https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications

    It has the page: https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/IrfanView 

     Application Control  contains the notifications and I don't see it listed in any of the recent notifications.  Given the age of the app, I assume it's quite an old identity?

    I went back to iview451_x64_setup.exe, the installer wasn't detected but the main exe then was:

    &"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

    'AppC/Irfan-Gen' found in file C:\Program Files\IrfanView\i_view64.exe

    So it looks like the generic identity needs an update.

Reply Children
No Data
Unfiltered HTML