This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Enterprise Console 5.5.2- Application Control Issues

Hello All,

Currently running 5.5.2, as our main endpoint AV, which I inherited when I took over a network. We currently have 11 different Application Control groups. We currently pushed out Microsoft Teams, and authorized for each applicable group via Application Control (View/Edit Policy). However, we have one group which Sophos is still blocking Teams for Application Control. I've tested by turning off Application Control locally on a couple of the clients, and Teams installed/ran without issues. We also uninstalled all the Sophos client "pieces" (in proper order), reinstalled, updated- no dice. . . What am I missing? This has always been a simple, straightforward process. Any input would be greatly appreciated. 



This thread was automatically locked due to age.
Parents
  • Hello Chad Storm,

    off the top of my head: You should get a message (locally in the SAV.txt AntiVirus log) and the console that indicates the applicable group. Or is Teams apparently blocked without an accompanying message?

    Christian

Reply
  • Hello Chad Storm,

    off the top of my head: You should get a message (locally in the SAV.txt AntiVirus log) and the console that indicates the applicable group. Or is Teams apparently blocked without an accompanying message?

    Christian

Children
  • Hey QC, this is what I'm getting in the SAV.txt (repeated)

    20210129 183143 File "C\Users\user1\AppData\Local\Microsoft\Teams\current\Teams.exe" of controlled application 'Microsoft Teams' (of type Instant messaging) as been detected

  • You say "Application Control groups". Do you mean App Control policies?  There are groups, which contain computers, you assign policies to groups. One type of policy is Application Control.  I assume that the app control policy which allows Teams is linked to the group containing the computer.  Does the computer in SEC show as same as policy?  Is the last message time of this computer recent?  All communication is working?

    Ultimately the policy from the management server goes initially to the client and sits here:
    C:\ProgramData\Sophos\Remote Management System\3\Agent\AdapterStorage\SAV\APPCAdapterConfig

    I am actually running Sophos Central but I believe this directory is common.

    So for a computer that is "working" in terms of AppC and should have the same policy, you could compare this file on a couple of computers.

    The next step is the Sophos Agent service, via the savadapter.dll applying this policy to the SAV component.  
    C:\ProgramData\Sophos\Remote Management System\3\Agent\logs\ 
    The agent log in here, details the processing of the policy.

    Note: Verbose level of the Agent - Article Detail (sophos.com) will really break down the policy settings if needed.

    This setting of policy, ends up in machine.xml - C:\ProgramData\Sophos\Sophos Anti-Virus\Config\ as with the cached policy file, you could compare this file with a "working" computer.  Is the application control list the same?

    These steps will help you work out if the policy is good, and has been applied to the sav component?