The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
Application Control enables network administrators to block certain legitimate applications from running on work computers.
Typically, you would use Application Control to prevent users from running applications that are not a security threat, but that you decide are unsuitable for use in your workplace environment, e.g., games or instant messaging programs.
In accordance with your company policy on Application Control, you can authorize required applications, and block those which are not required - all from the central console.
This article answers some of the more common questions about Application Control.
Applies to the following Sophos product(s) and version(s) Enterprise ConsoleSophos Anti-Virus for Windows 2000+
All blocking and authorizing of programs is done in the Enterprise Console. Watch the video below to see how it works.
No. Sophos will not create a default list of blocked applications since there are many legitimate uses for applications that some companies may need. Furthermore, we cannot advise you about which applications to block: the control of applications should form part of your IT policy.
If you would like to add an application that is not listed in the policy section you will need to raise an Application Control request, select "Submit a Sample" - > "Application Control". You will be asked for basic information about the application as well as the executable file required to run the application.
Important: The file required to block an application is the one used to run the application not the file that installs it. If you have a shortcut that starts the application locating the file it executes when you click on the shortcut is normally the correct file.
Sophos application control detection's are created with future versions of the application in mind. The majority of applications will still be blocked after an upgrade. On some occasions after a major upgrade they may not be blocked, for these circumstances we advise raising an Application Control Request, select "Submit a Sample" - > "Application Control", to provide a sample of the upgraded application.
Detection can be either via on-access scanning or on-demand (scheduled) scanning. The console policy also allows you to configure the on-access scanner to detect but allow the application while you build up an idea of what effect blocking applications will have on your users.
See article 26095 for details.
All currently supported versions of Sophos Anti-Virus for Windows allow applications - that appear on SophosLabs list - to be controlled.
When Sophos Anti-Virus with Application Control detects a listed application, it allows you either to authorize or to block that application. You cannot use Sophos Anti-Virus to remove the application.
To remove an application you must temporarily disable on-access scanning for applications, then uninstall it in the standard way, using the uninstaller provided, or Windows add/remove programs in the Windows control panel.
The list should synchronize automatically when new anti-virus packages download. If the list does not appear to be in sync see article 114395 to refresh the list.
The Policy Setup Guide is an excellent resource for planning and rolling out your policies. Aside from that we can offer a few tips:
The only place where you can customize/change which applications are blocked and which are unblocked is from the central console, under the 'Application control' policy section. Locally on an endpoint computer you can only switch the feature off or on - but you must be a 'Sophos Administrator' to do this. You cannot customize the policy nor allow an application locally as the policy is set as per your IT administrator.
If you need to check which applications are blocked for a particular endpoint computer you should move to the Enterprise Console and review the policy. If this cannot be done you can open the machine.xml file in a text editor on the endpoint and search for either an application name which you believe is being blocked by Application Control or the phrase 'blockedAppCList' to find the beginning of the list of blocked applications as received from the central console.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.