Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Subscribers 15 subscribers
  • Views 19902 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control - Blocking Unlisted Applications and Not Logging in Central

Kyle Parrish

Hey Guys,

I have noticed a handful of times recently that we have had Sophos blocking certain applications from running due to Application Control policies.

The interesting thing is that three in particular were not listed in Sophos Central as a "controllable" application and nor did it log these as being blocked in the event log. However, reviewing the local log on the endpoint it states that the application was being blocked due to Application Control policy.

The only way to resolve this is to create a scanning exclusion for the EXE until the new Application Control Request is processed through Sophos.

Anyone else experience this?



This thread was automatically locked due to age.
Parents
  • 0

    What were the blocked application names?

    Regards,

    Jak

  • 0 in reply to jak

    The three recent were:

    AdobeARM.exe

    OfficeClickToRun.exe

    VIPUIManager.exe (Symantec VIP Access)

  • +1 in reply to Kyle Parrish

    For the first 2 application (as I have those), using the command line scanner SAV32CLI (\Program Files (x86)\Sophos\Sophos Anti-Virus) specifying the "controlled" switch, to see if it's detected by application control (AppC):

    sav32cli -controlled "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    'AppC/AdARM-A'

    sav32cli -controlled "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe"
    'AppC/MSOCtR-A'

    SAV.txt, following a scheduled scans will all applications set for detection:

    20170506 141023 File "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" of controlled application 'Adobe Reader and Acrobat Manager' (of type Document viewer) has been detected.

    20170506 140952 File "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe" of controlled application 'Microsoft Office Click-to-Run' (of type Office suite) has been detected.

     

     

  • 0 in reply to jak

    Jak,

    Thank you for sharing this, I will keep the cli scanner in mind next time I need to troubleshoot this type of thing.

    However, at the time of the issue, these programs were not available in Sophos Central as a "controllable" application. That is why I was curious if anyone else had experienced this. We would all of a sudden receive notifications that an application has been blocked due to a policy (Adobe ARM), yet reviewing Sophos Central showed that Adobe ARM wasn't even on the list leaving me no way of allowing the app. The only way to get around this was to add a scanning exclusion for the exe until the Application Control Request was processed by Sophos.

    I hope this makes sense...

  • 0 in reply to Kyle Parrish

    Hi,

    The only thing I can think, is that you have the following option selected for the categories you received detections for:

    "NEW APPLICATIONS ADDED TO THIS CATEGORY BY SOPHOS"

    It's at the bottom of the application list on the left.

    As soon as the virus data is updated at the client that includes detection of the file that would detect the app and they would be blocked/alerted on.  

    It wouldn't need a policy to enable it.  So I guess it's possible that you may gave detected an application before the feed that feeds the policy is updated.

    I would be cautious of using the "NEW APPLICATIONS ADDED TO THIS CATEGORY BY SOPHOS" option unless it's a category you know you would never want any apps in it to run.

    AppC blocking as part of realtime/on-access scanning does use the on-access element so a file exclusion for the detected application would exclude it.

    Regard,

    Jak

Reply
  • 0 in reply to Kyle Parrish

    Hi,

    The only thing I can think, is that you have the following option selected for the categories you received detections for:

    "NEW APPLICATIONS ADDED TO THIS CATEGORY BY SOPHOS"

    It's at the bottom of the application list on the left.

    As soon as the virus data is updated at the client that includes detection of the file that would detect the app and they would be blocked/alerted on.  

    It wouldn't need a policy to enable it.  So I guess it's possible that you may gave detected an application before the feed that feeds the policy is updated.

    I would be cautious of using the "NEW APPLICATIONS ADDED TO THIS CATEGORY BY SOPHOS" option unless it's a category you know you would never want any apps in it to run.

    AppC blocking as part of realtime/on-access scanning does use the on-access element so a file exclusion for the detected application would exclude it.

    Regard,

    Jak

Children
No Data
Unfiltered HTML