Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 5535 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control query

pdc

Hi all,

I've just started to take a look at the application control settings on sophos AV. I'd be interested to hear from anyone that is properly using the application control settings to police applications on the network.

We have a globally spread workforce, who are all advanced technical users on notebook systems. Staff have local admin rights on their systems as they may be writing code / building applications on their systems. We make it quite clear that applications are not to be installed unless authorised by the IT department, in addition to our policy that we regularly autid machines for non-compliance. While most staff respect the IT polices that exist, there will always be one or two that will chance their arm.

At present I have the policies set to scan but allow to run ( for any flagged applications) so that I get a lie of the land to see what applications are being picked up by our scheduled scanning. I would like to be able to get to a position where we can flag certain exe's or known, sophos listed, programs that we can block.

An example might be for example instant messaging clients or browser toolbars.  If I want a specific IM client permitted, and put a block on all the others listed, how does the AV client handle this? Does it treat the application in the same way it would a detected virus (i.e. If my policy says deny access to a suspect file, then will this do same for the 'suspect' application?)

How does Sophos deal with this?  Are there any major differences with application control for Sophos 9.0 and 9.5? (As I'm in the process of planning out the 9.5 roll-out)

On a silimar note, but from another perspective; If I have a suspicious file (e.g. crack-file.exe) which is listed under the "suspicious files" on the authorisation manager is there a way to track down in the reports the system on which that file was found? I assumed that it could be picked up from the "application control events" menu, but that doesn't appear to be the case.

Apologies if this does all sound very beginner'ish, but I can assure you I have spent days trawling through the various online support documents, when I (probably) should have been getting a lab setup with various scenarious, in order to try and track it down.

Thanks in advance for any assistance you can provide

:4234


This thread was automatically locked due to age.
  • 0

    Hello pdc,

    you can either Authorize or Block an application. If it set to blocked and on-access scanning is set to Detect but allow to run it executes otherwise not, an event is logged in both cases. Some would like the Detect but allow to run to be application specific but for now it's a global setting. In case you wonder why this might be needed - each application type contains an All added by Sophos in the future "generic" application and you might want to be alerted of added applications but not block them by default.

    You should find computers with suspicious files in the Computers with alerts section in SEC (they have now their own link). Also see Placebo's (the apostrophe is his :smileywink:).

    I'm not aware of significant changes in AppCtrl but the new Tamper protection might be of interest if your users are admins.

    Christian

    :4239
  • 0

    Thanks QC, much appreciated

    I guess I'm really keen to ensure that if I was to implement a block on applications, that the AV client will prevent staff from running those blocked apps.

    In terms of the desktop alert that you can present to the user, is it possible to put a variable into the alert message which will list the application name as part of the alert?

    For example, is it possible to set the alert text to be something like " %APPNAME% is not permitted as outlined in the IT Policy..."  ???

    Obviously if someone is *really* determined, they will always find a means to get around it. With the application control and the tamper protection in place it is sufficient to make it clearly known to those determined people; that they are knowingly circumventing controls. At that stage IT have the means to take further action on, if necessary.

    Thanks again for your time and assistance

    :4242
  • 0

    You're welcome.

    If an application is blocked the Sophos icon displays for several seconds a balloon which says (using SAV9.0):

    Controlled application detected by Sophos.

    File ... of controlled application ... (of type ...) has been detected.

    your message (up to 100 characters) to the user here

    Application and type are as in the policy, for example application 'MS Windows Games' (of type Game).

    Christian

    :4259
  • 0

    It's worth noting that the application control identity will attempt to block both the initial installation process and application execution.

    If anybody has any additional feedback on application control and how you'd like to see it improved I'd welcome your input via this thread.

    Best regards,

    John Stringer

    Product Manager

    :4271
  • 0

    Thanks John for the additional info.

    As a matter of interest, is there a means to further configure the alert message that appears, when a blocked application install is attempted?

    For example, in my test I put a block on all IM clients, I then attempted an installation of google talk.Sophos does the job I expect, but the message displayed is a bit confusing..

       Controlled application blocked by Sophos

       File "C:\Documents and settings\username\desktop\googletalk-setup.exe" of controlled application 'Google Talk' (of type Voice over IP) has....

       [Custom message text set at application control policy]

    I had to read the message a few times to make sense of it, I've no idea what is meant to follow the "has..."

    I'm sure it's the same message if we were to activate application controls it against systems that aready have controlled apps installed.

    :4277
  • 0

    couldn't find an option to edit the last post, so this an addendum to it..

    I've tried the similar process with other 'controlled apps' and I get the full message to appear. It seems that in my first test with google talk the "has been detected" part was chopped off the end of the message.

    I'm guessing that the 'controlled application path' is too long. There must be a limit to how long the message can be?? Perhaps a similar restriction, like the one for the custom text which is limited to 100 characters

    :4279
  • 0

    Yes, looks like that is the problem. I wonder if its necessary to show the full path in the end user alert - perhaps just the filename would be enough. What do you think?

    John

    :4287
  • 0

    From your perspective it could be a tough one to call. As the saying goes; you can't please everyone all the time...

    From my experience most users will have no interest in what the pop-up is, they are going to be none to happy that their app is no longer  working. They will either accept that the policy doesn't allow it, or they will log a complaint with the IT team.

    In my personal opinion, I would prefer to see the message kept as simple as possible, something along the lines of;

    Controlled application blocked by Sophos

    The application '<Application Name>' has been detected

    [Then your custom text]  <- I typically set the text to advise the user to contact the IT team if necessary.

    In my opinion I would leave the application path out of the pop-up. The sophos client application on the computer does show the application paths in the quarantine list, so the IT techs can locate the files this way if needs be.

    :4288
  • 0

    The complete path will still be in SAV.txt, if you need it you can look it up.

    Thinking about it - it'd be nice if the notification could contain a clickable link to the IT-policy ...

    Christian

    :4289
  • 0

    I agree - but that doesn't necessarily mean it will be changed :) I will raise a defect though.

    Thanks,

    John

    :4290
Unfiltered HTML