Application Control List

Hello Andre,

there is - at the moment - no concise list of controlled applications available. To get a simple list use Select All -> Copy when viewing the Controlled Applications page in a (decent -Firefox gives good results, older IE versions acceptable and IE8, well, see yourself) browser and Paste to a text editor . 

@Johnstringer: Could such a list be provided?

Christian

Just to show I'm not hiding! I do want to get an option on the site which allows the full list to be accessed easily. It is not as simple as you may think - as is often the way with these things - because the list is dynamically generated, but it is something we're looking into sorting out. We now have over 800 application control identities so it makes a lot of sense!

BTW Dan Kirtley - another member of the UK PM team - will be taking on day to day management of application control and device control but I'll still be involved.

Regards,

John

I have tried this too. I get the same result in Firefox 3.6 or IE7 and pasting it into Excel 2010 though. I have all the text of the page in the first column (no dates anywhere). It's not perfect, but it beats copying by hand every application from the Sophos Enterprise Console :)

I then just need to move a few cells and make it prettier and mark our current policy (blocked or authorised). Having it all in csv format or other type would be ideal, but this already helps quite a bit.

Thanks for all your help!!

I count 782 apps John :) However this number might not be completely accurate as it includes games like "Battlefield 1942 Demo" which might have been incorporated into other entities/entries like on of the developer studios and not been removed (same with the apps who got moved from one category to another aka double entries)...

Anyways, I created a spreadsheet over 2 years ago and have updated it every months when the AppControl updates where released. Every app (except the ones released in the last 2 months) is hyperlinked with it's corresponding entry in the Sophos knowlege base. We have 42 schools to take care of so I have 3 different columns for Elementary, Middle and High Schools. You should rename this to whatever "departments" you have. There is a Server and Technician column as well. Feel free to add as many more you'll need for your environment.

You can fill each field either with "Blocked" (field will turn red) or Authorized (green). I pre-filled a few no-brainer categories like Games, Proxies and Filesharing to be blocked already. The rest is up to you.

Don't block everything mindlessly as sometimes apps are part of the OS (Telnet, Ftp, MS Games etc.) If there is ever an update to these components (say through Windows Update) or people reconfigure their Windows apps (Add/Remove Control Panle -> Windows Components) it might fail depending on your setup as a whole due to Sophos blocking it.

As I can't attach anything to this post I have prepared 2 downloads at google docs for you guys. New EXCEL 2007 format and the older XLS for compatibiblity reasons (yes I know there is a converter).

XLSX:

https://docs.google.com/leaf?id=0B2YUB3K1DGhrNmIwN2VhODgtMDhlOS00Y2E0LWE5YTQtZWRmN2JkZjEyMzNk&hl=en&authkey=CL-d440L

XLS:

https://docs.google.com/leaf?id=0B2YUB3K1DGhrYjk5NTNlZDQtNmM1OC00YWVmLTg2OWUtNDBhNDRkNThlMzRk&hl=en&authkey=CMLTggM

Have fun with it.

Awesome! Do you mind if we add these links to the Application Control sticky at the top of the forum? Once the formal Sophos list are live I'll remove the lists.

BTW we are looking to introduce more granular control over each category in an Application Control policy. The proposal is to enable each category to be set to either "block" or "monitor" obviously the action will only apply to selected applications. Is this a change that others would support? Would be great to get feedback on other changes SophosTalk readers would like to see.

Cheers,

John

That Excel list is really great. I've been trying to compile a similar one manually the last few days to review our current Application Control policies, but it's been a real pain having to type in everything manually

@ Johnstringer

Most of our application control categories have the setting of all future updates to be authorized. The risk is too great that suddenly a new application we have been using for a long time finds its way on that list and then gets blocked on all the machines. A couple of years ago we had this with IE and it took over a month to clean up all the machines.

Hello John,

I never accused you of hiding, btw :smileywink:.

The proposal is to enable each category to be set to either "block" or "monitor"

What's the rationale to do it on the category level and not per-application?  For one thing you might want to use a "soft" policy for certain categories like Toolbars where you definitely want to block some, monitor most of the (rarely used) rest and authorize the remaining acceptable ones (for which you don't want to see an alert). Then there's the All added by Sophos catch-all entry which you might want to monitor while generally using block in the category.

Other changes ... well, the option to use a hyperlink in the custom message has already been mentioned - ideally if it were possible to include the application name in the URL (like http://www.some.com/internal/application%20policies#$AppName$ which will result in http://www.some.com/internal/application%20policies#Another%20Toolbar - I'm using a reference as it is more tolerant). Carrying on this thought - how about an optional "monitoring message" to the user? Right now a message is displayed only when an application is actually blocked (which most of the time makes sense). Of course it should be different from the blocked message.

An open question is to what extent Application Control also verifies an application. Incidentally I've been asked a few days ago whether Application Control would also identify a "non-genuine" version (actually the question was whether Application Control positively identifies an application like SCF can do).    

Christian

Hello Andre,

it took over a month to clean up all the machines

what did you have to clean up? Was it that a Windows update (or IE upgrade) partially failed and couldn't be re-applied automatically?

Christian

If I remember correctly, at the time IE was added to the application control list and the option "All added by Sophos in the future" was in the Blocked section. Suddenly iexplore.exe was blocked on all the machines. After the setting was corrected, we had the issue that some clients weren't immediately getting the updated policy (for whatever reason), the machine was shutdown again, etc...

We had to push the new policy out a few times over the next few weeks. Adding to this, we have often the case the IE is the first thing users open when logging in, and they manage to do this faster than Sophos manages to update itself. So they called in to complain. A policy update push on that machine and the issue was resolved.

In any case, we learned the lesson and now have the "All added by Sophos in the future" option by default in the Authorized tab in pretty much all the categories.

Awesome! Do you mind if we add these links to the Application Control sticky at the top of the forum? Once the formal Sophos list are live I'll remove the lists.

Sure.

The proposal is to enable each category to be set to either "block" or "monitor" obviously the action will only apply to selected applications.

I can see why this is useful, because right now you can only set a complete AppControl policy to "Detect, but don't block".

I suggest to add the ability to remove/delete the detected app/game/proxy. We have several dozen locations and way to many computers to always send somebody to get rid of the detected application. Remoting in is neither an option as we are understaffed (oh wait it's not understaffed, rather I'm completely alone here). This would be a huge timesaver as then they don't have to go through the whole process of power it on, login, run the Uninstaller, hope that the uninstaller is not broken, wait for the uninstallation, logoff. Just deleting the key AppControl identifier files (usually .EXE and .DLLs from what I've seen in the past) will cripple the app and the kids can't run it anymore. Abuse stopped. 1:0 security.