Application control Arghhhhhhhh!!!!!!!!!

Hello Matt,

while Sophos has to sort this out I'm curious where the problem could be. I ask because I do (and did) see the the applications mentioned as missing (using SEC 4.7). But there's another (minor) issue as some of the lists differ between the servers - looks like there are some "leftovers" on the server which came all the way from SEC3.1 compared to those which started with SEC4.5.

Christian

Hi Christian,

The issue here is that there's clearly one team writing the application prevention system and another writing the SEC console updates. If the two teams are not collaborating on updates then these release issues will occur and it's down to QA @ Sophos to sort them out properly such that these occur in the right sequence. We're not talking about malware, we're talking about applications that potentially could be vital to a company e.g. Powerdvd is used to show a company media presentation we have.

I can see the same issue with out dated entries in my SEC too which came over from a 3.1. To be honest, I don't really see a problem with this as long as the entries still work. In the case of GoogleEarth, clearly it doesn't and my released available application is not the same as the application detection. So it looks like my policy says allow access but SAV prevents it.

Matt

another writing the SEC console updates

Matt, does this imply that you are on SEC4.5 (or earlier) and that it's broken for the non-4.7 consoles?

Christian

Yes, I'm actually on 4.0 Christian.

Matt

Hello Matt,

There is only one team which collaborates all of the Application Control data, whether it is targeted for the endpoint or for the SEC console. The update paths, however, are different. The endpoints update from an update manager which in turn gathers its' update from one warehouse. SEC itself uses another warehouse. The updates are sent out concurrently.

This can mean that the endpoints update before the SEC console but the absolute maximum latency you would expect to see is one hour. This depends upon individual update schedules. The data has been verified as in sync and has been for a number of days. I understand that you have a support case open which is being investigated. I suspect that there is an issue which is specific to your Enterprise Console and we will work with you to resolve this.

Thanks,

DK

Thanks DK,

Clearly there's a problem. It would be good to understand how to tell if the SEC console is up to date like the endpoints but there isn't anywhere to look to see this clearly. I can see in the warehouse that the VVF XML was sent out on the 4th around 4pm which is used by the endpoints, is the same warehouse file used by SEC or is that a different file because 'Power DVD' for example only occurs in the VVF warehouse file?

Matt

Hi Matt,

The latest vvf.xml file should be in the following location.

c:\documents and settings\all users\application data\sophos\sophos endpoint management\4.5\updates\secure\sdfs\sophosma\sec\msdc\ 

This is the data file that SEC uses.

However there could be a number of reasons for the update failure so I would recommend that you follow this up with Support for resolution.

Thanks,

DK

Thanks DK.

Someone's kicking support along with this, 2 minutes after your post, an email from support detailing the same path you're describing appeared. It's moved up a level...

I have a vvf.xml in the 4.0 (this is SEC 4.0) folder dated 8th April which I'm guessing is the last update issued to 4.0 as all the rest of the files in the same folder reflect the same date. The VVF has e.g. power dvd in it but this does not show in the console so whatever causes this XML to be read into SEC isn't happening or there's something wrong with the XML itself. Support have a copy of the folder contents to review now.

Matt

Not entirely a coincidence. I asked my colleague who is working on your case to verify the path where the vvf.xml will be found. I understand that when we publish these new updates we need to ensure that administrators have control over new identities so I'm interested in finding out why this hasn't happened correctly for you for future reference.