This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

sophos endpoint keeps on detecting/blocking Windows Media Player even if the app is not running.

what is the solution for this? I personally don't use windows media player anymore but it still detects on the event logs. and also some of our endpoint users were bothered by this reports since they are also not using windows media player.

 

I hope you can help us.

 

Thank you

Sam

 



This thread was automatically locked due to age.
Parents
  • Hello Sam,

    this is Central Endpoint, isn't it? Apparently Application Control is enabled and someone has decided to block - amongst others - Media Player. There is perhaps a misconception what Application Control does and what an associated event signifies.
    Application Control is a by-product of (file-)scanning, it does not care about or deal with running processes or applications. When an open is requested for a file that characterises a controlled application the real-time scanner denies access - this effectively "blocks" the application. The scanner does not care why the file is opened - a file copy or using Explorer to open the containing folder would similarly be blocked. 
    Thus you don't have to use an application to trigger an event, you don't even have to access it deliberately. Many entries in the screenshot are roughly 26 hours apart - wonder if they correlate with the login (if so Autoruns could be of help)? Details (which items caused the detection) should be in the Anti-Virus log (%ProgramData%\Sophos\Sophos Anti-Virus\logs\).

    what is the solution for this?
    in the light of the above - what is the problem? BTW, why are your users bothered, is it a shame to use WMP :)?

    Christian

  • Hello Christian,

     

    Yes its Central Endpoint, this endpoint is up and running 24/7 so i think it doesn't correlate with the login :(.

     

    this is the logs found in C:\ProgramData\Sophos\Sophos Anti-Virus\logs 

     

     

    in the light of the above - what is the problem? BTW, why are your users bothered, is it a shame to use WMP :)?

    Because they are not allowed to use WMP :)

     

     

    Sam

  • Hello  

    If users are not explicitly launching WMP, you might want to see how the issue is reproduced. When do the users see the blocked message? Is it when doing something specific on their machine? Could it be that there's another application that launching WMP?

Reply Children
  • Hi DianneY.

    unfortunately sometimes it does pop up without someone using the machine maybe we will simulate it by waiting for it to pop up again and while running the process explorer. I will try to disable auto play in control panel.

    I hope I will catch the culprit.

     

    Thanks.

     

    Sam