Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 5542 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control query

pdc

Hi all,

I've just started to take a look at the application control settings on sophos AV. I'd be interested to hear from anyone that is properly using the application control settings to police applications on the network.

We have a globally spread workforce, who are all advanced technical users on notebook systems. Staff have local admin rights on their systems as they may be writing code / building applications on their systems. We make it quite clear that applications are not to be installed unless authorised by the IT department, in addition to our policy that we regularly autid machines for non-compliance. While most staff respect the IT polices that exist, there will always be one or two that will chance their arm.

At present I have the policies set to scan but allow to run ( for any flagged applications) so that I get a lie of the land to see what applications are being picked up by our scheduled scanning. I would like to be able to get to a position where we can flag certain exe's or known, sophos listed, programs that we can block.

An example might be for example instant messaging clients or browser toolbars.  If I want a specific IM client permitted, and put a block on all the others listed, how does the AV client handle this? Does it treat the application in the same way it would a detected virus (i.e. If my policy says deny access to a suspect file, then will this do same for the 'suspect' application?)

How does Sophos deal with this?  Are there any major differences with application control for Sophos 9.0 and 9.5? (As I'm in the process of planning out the 9.5 roll-out)

On a silimar note, but from another perspective; If I have a suspicious file (e.g. crack-file.exe) which is listed under the "suspicious files" on the authorisation manager is there a way to track down in the reports the system on which that file was found? I assumed that it could be picked up from the "application control events" menu, but that doesn't appear to be the case.

Apologies if this does all sound very beginner'ish, but I can assure you I have spent days trawling through the various online support documents, when I (probably) should have been getting a lab setup with various scenarious, in order to try and track it down.

Thanks in advance for any assistance you can provide

:4234


This thread was automatically locked due to age.
Parents
  • 0

    It's worth noting that the application control identity will attempt to block both the initial installation process and application execution.

    If anybody has any additional feedback on application control and how you'd like to see it improved I'd welcome your input via this thread.

    Best regards,

    John Stringer

    Product Manager

    :4271
Reply
  • 0

    It's worth noting that the application control identity will attempt to block both the initial installation process and application execution.

    If anybody has any additional feedback on application control and how you'd like to see it improved I'd welcome your input via this thread.

    Best regards,

    John Stringer

    Product Manager

    :4271
Children
No Data
Unfiltered HTML