Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 3007 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control - Windows Live Messenger

toddh
Hey, Is Windows Live Messenger not able to be controlled under Windows 7 64 bit? I setup a test with a Windows XP 32 bit and a Windows 7 64 bit (These are the two main operating systems we have). I was able to block Windows Live Messenger in Windows XP, however I am unable to block it in Windows 7 64 bit. Has anyone tested this? Thank you, Cheers
:7697


This thread was automatically locked due to age.
  • 0

    Hi,

    I would suggest use:

    https://secure.sophos.com/support/samples/

    and choose "Application control request".

    Is this: "Windows Live Messenger 2011" as part of "Windows Live Essentials 2011"?

    That's not detected on my machine either if I scan:

    "C:\Program Files (x86)\Windows Live\Messenger"

    I also have Windows 7 64-bit.  I assume they are 2 different version of messenger on the 2 different platforms?

    Regards,

    Jak

    :7699
  • 0

    Hey jak,

    thank you for the reply.

    thank you also for confirming that I am not the only one with this issue

    I did earlier in the day submit a request to the sophos team to have this added.

    I believe though that I might not have provided enough information.

    I will have to be a little bit more specific as to what isn't being blocked.

    Perhaps they will add this in their next release of applications

    I think though your assumption is correct that these are different versions.

    The thing that sort of threw me off though was that if you look at the executable, they are both named the same whether it be under Windows XP or Windows 7. I am not sure what the Application Control Service is using to identify what applications to block, but it must be more then just the exetuables name.

    Sorry, and to answer your question this is as part of the Windows Live Essentials 2011 - With only Windows Live Messenger 2011 installed.

    Cheers

    :7701
  • 0

    Hi,

    Yes it's more than the application names and is identity based from what I can tell. I had a look at SAV32CLI and with the power of strings.exe from Sysinternals manged to find the switch: -controlled 

    So for example:
    "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\sav32cli.exe" -controlled "C:\Program Files (x86)\Windows Media Player"

    will scan the directory "C:\Program Files (x86)\Windows Media Player" for controlled applications.

    In this case it reports:

    >>> Virus 'AppC/WMPlay-Gen' found in file C:\Program Files (x86)\Windows Media Player\wmplayer.exe

    Which tells me it's all using the same technology under the hood which is good as it should be thorough.

    For the short term (hopefully before it gets added on a monthly release cycle), if you have AD, you can always set up a GPO software restriction policy to disable for example someone running a process name "msnmsgr.exe".  If this is considered to open to file name classhes you could include the whole path: for example: "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe".  Maybe this would work for you, even if it was only linked to a few OUs.

    Jak

    :7703
  • 0

    Hey,

    I am going to play around with that command you showed.

    It sounds like you are using some interesting tools to dig into this and I am definitely interested in

    doing a little bit more digging myself (sysinternals has some pretty awesome tools).

    Currently we do not use AD as our means to manage users so unfortunately pushing out a GPO quickly will not be possible.

    This is part of the reason why I would like to start using the Application Control Policy.

    It isn't a huge deal right now as we have dealt with the few instances of messenger that we have found running, but it would be nice to get this application blocked to prevent future issues.

    I have a case number with Sophos for my Application Request, am I able to submit additional information towards this ticket reference number?

    Thank you,

    Cheers

    :7745
  • 0

    Hi,

    I just pushed the request through to the labs. BTW we can usually update existing identities within 24 / 48 hours.

    Best regards,

    John

    :7749
  • 0

    The identity has now been updated. Here's the details from the lab:

    "Update to detect Windows Live Messenger 2011" as part of "Windows Live

    Essentials 2011", filename msnmsgr.exe,product version 15.4.3508.1109

    is going out in the next alert. However, please note, that installer is

    not included as it is an installer for a number of applications that

    come under "Windows Live Essentials 2011",

    Regards,

    John


    Product Manager

    :7833
  • 0

    Hey Johnstringer,

    Thank you for the update that is awesome!

    I understand that it is only designed to detect Live Messenger and not the installer - that is great!

    Thanks for the hard work.

    Just out of curious (this will sound stupid). But is there anyway that I can confirm that my Server has received this update?

    Thank you,

    Cheers

    :7835
  • 0

    Hey,

    Just wanted to update and say that my server has already received the update and I can confirm that it is now blocking MSN Messenger from running under Windows 7 x64.

    Thank you again for the hard work!

    Cheers

    :7837
Unfiltered HTML