This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control policy problem

Hello All,

 

Looking for some help with application control policy.

 

Got a log attached. To my understanding:

There was an update at 20200814 100505 where detection count is stated, after this loads of apps got blocked. Even those that we have been whitelisting for years.

Cisco Jabber was added to the list 4th of August according to the RSS feed and the policy was to block everything that was not explicitly whitelisted. We had to change that, as users kept complaining.

 

Nevertheless, after another update 20200814 100642 all apps are ok.

Cisco VPN is being blocked which prevents the users from getting on to VPN, that's an issue. And without VPN we cannot force polcies or reinstall Sophos remotely...

 

Any idea what could have gone wrong?

 

Many thanks

D.

 

20200814 100505 Using detection data version 5.77 (detection engine 3.77.1). This version can detect 53270331 items.
20200814 100505 User (NT AUTHORITY\LOCAL SERVICE) has started on-access scanning for this machine.
20200814 100526 File "C:\program files\internet explorer\iexplore.exe" of controlled application 'Internet Explorer 11' (of type Internet browser) has been detected.
20200814 100526 On-access scanner has denied access to location "C:\program files\internet explorer\iexplore.exe" for user NT AUTHORITY\SYSTEM
20200814 100530 File "C:\Program Files (x86)\Internet Explorer\iexplore.exe" of controlled application 'Internet Explorer 11' (of type Internet browser) has been detected.
20200814 100530 On-access scanner has denied access to location "C:\Program Files (x86)\Internet Explorer\iexplore.exe" for user DOMAIN\user
20200814 100531 File "C:\Program Files (x86)\Cisco Systems\Cisco Jabber\CiscoJabber.exe" of controlled application 'Cisco Jabber Application' (of type Instant messaging) has been detected.
20200814 100531 On-access scanner has denied access to location "C:\Program Files (x86)\Cisco Systems\Cisco Jabber\CiscoJabber.exe" for user DOMAIN\user
20200814 100531 File "C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe" of controlled application 'Citrix Receiver' (of type Business Intelligence Tool) has been detected.
20200814 100531 On-access scanner has denied access to location "C:\Program Files (x86)\Citrix\ICA Client\Receiver\Receiver.exe" for user DOMAIN\user
20200814 100532 File "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" of controlled application 'Cisco AnyConnect Secure Mobility Client' (of type Proxy / VPN tool) has been
detected.
20200814 100532 On-access scanner has denied access to location "C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnui.exe" for user DOMAIN\user
20200814 100601 File "C:\program files\internet explorer\iexplore.exe" of controlled application 'Internet Explorer 11' (of type Internet browser) has been detected.
20200814 100601 On-access scanner has denied access to location "C:\program files\internet explorer\iexplore.exe" for user DOMAIN\user
20200814 100642 Using detection data version 5.77 (detection engine 3.77.1). This version can detect 53270341 items.
20200814 102905 Controlled application "Outlook" has been authorized.
20200814 102905 Controlled application "Internet Explorer 11" has been authorized.
20200814 102905 Controlled application "Cisco Jabber Application" has been authorized.
20200814 102905 Controlled application "Citrix Receiver" has been authorized.
20200814 102905 Controlled application "Cisco AnyConnect Secure Mobility Client" has been authorized.
20200814 102905 Controlled application "Google Chrome" has been authorized.
20200814 102905 Controlled application "Microsoft Powershell" has been authorized.
20200814 102905 Controlled application "Microsoft WSH CScript" has been authorized.



This thread was automatically locked due to age.
  • Do the clients get their updates also via the VPN connection or can they hit a public web server?  It is possible to define policy in the CID with XML if that is helpful?

    Regards,

    Jak

  • Hi Jak,

     

    Thanks a lot. No, unfortunately no public webserver. VPN only. It works fine, unless it starts to block the VPN software ;-) (for no apparent reason).

     

    Will check the xml option though!

  • I guess if you can get a policy through, you could always make an exclusion for the file that is the process being blocked. As a temporary measure at least that will prevent it being detected by Application Control.

  • Hello DanZi,

    from the log it seems that there was a ... well, issue with the policy and that the policy in effect at 20200814 100505 blocked all applications. I don't think it's related to the IDE updates though:
    20200814 100642 Using detection data version 5.77 (detection engine 3.77.1). This version can detect 53270341 items.
    20200814 102905 Controlled application "Outlook" has been authorized.
    More than 20 minutes pass before the applications are unblocked and this looks like a policy has been received at this time.

    VPN only is more than unfortunate. Either the endpoints update from a CID you can configure, they "come inside" by whatever means (so that they can receive policies), or the users have the right to disable Application Control. Or your mrinit.conf contains a public name or IP address for the SEC server.

    Christian

  • Hm, that'd be the trick then... with no access to the client :)

     

    Can an xml policy be imported manually on the client somehow though? I founf how it can be exported, but if there's no CID that the client could update from, is there still a way to force the XML onto a client?

  • Hello DanZi,

    any manipulation of the settings requires at least administrative rights on the endpoint - and then simply disabling AppCtrl via the GUI would do the trick. Hm ....

    Christian