Application Control enables network administrators to block certain legitimate applications from running on work computers.
Typically, you would use Application Control to prevent users from running applications that are not a security threat, but that you decide are unsuitable for use in your workplace environment. For example, games or instant messaging programs.
In accordance with your company policy on Application Control, you can authorize required applications and block those which are not required from the central console.
This article answers some of the more common questions about Application Control.
Applies to the following Sophos products and versions Enterprise ConsoleSophos Anti-Virus for Windows 2000+Sophos Central Enterprise Dashboard
All blocking and authorizing of programs is done in the Enterprise Console. Watch the video below to see how it works.
No. Sophos will not create a default list of blocked applications since there are many legitimate uses for applications that some companies may need. Furthermore, we cannot advise you about which applications to block: the control of applications should form part of your IT policy.
If you would like to add an application that is not listed in the policy section you will need to raise an Application Control request > Select Application Control. You will be asked for basic information about the application as well as the executable file required to run the application.
Note: The file required to block an application is the one used to run the application not the file that installs it. If you have a shortcut that starts the application locating the file it executes when you click on the shortcut, is normally the correct file.
Sophos application control detection's are created with future versions of the application in mind. The majority of applications will still be blocked after an upgrade. On some occasions after a major upgrade they may not be blocked, for these circumstances we advise raising an Application Control Request > select Application Control, to provide a sample of the upgraded application.
Detection can be either via on-access scanning or on-demand (scheduled) scanning. The console policy also allows you to configure the on-access scanner to detect but allow the application while you build up an idea of what effect blocking applications will have on your users.
See Enterprise Console: How to authorize a blocked application for details.
All currently supported versions of Sophos Anti-Virus for Windows allow applications - that appear on SophosLabs list - to be controlled.
When Sophos Anti-Virus with Application Control detects a listed application, it allows you either to authorize or to block that application. You cannot use Sophos Anti-Virus to remove the application.
To remove an application you must temporarily disable on-access scanning for applications, then uninstall it in the standard way, using the uninstaller provided, or Windows add/remove programs in the Windows control panel.
The list should synchronize automatically when new Anti-virus packages are downloaded. If the list does not appear to be in sync see Application Control list out of date to refresh the list.
The Policy Setup Guide is an excellent resource for planning and rolling out your policies. Aside from that we can offer a few tips:
The only place where you can customize/change which applications are blocked and which are unblocked is from the central console, under the Application control policy section. Locally on an endpoint computer you can only switch the feature off or on, but you must be a Sophos Administrator to do this. You cannot customize the policy nor allow an application locally as the policy is set as per your IT administrator.
If you need to check which applications are blocked for a particular endpoint computer you should move to the Enterprise Console and review the policy. If this cannot be done you can open the machine.xml file (Location: C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\config\) in a text editor on the endpoint and search for either an application name, which you believe is being blocked by Application Control or the phrase blockedAppCList to find the beginning of the list of blocked applications as received from the central console.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.