Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 11 replies
  • Subscribers 1 subscriber
  • Views 5541 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control query

pdc

Hi all,

I've just started to take a look at the application control settings on sophos AV. I'd be interested to hear from anyone that is properly using the application control settings to police applications on the network.

We have a globally spread workforce, who are all advanced technical users on notebook systems. Staff have local admin rights on their systems as they may be writing code / building applications on their systems. We make it quite clear that applications are not to be installed unless authorised by the IT department, in addition to our policy that we regularly autid machines for non-compliance. While most staff respect the IT polices that exist, there will always be one or two that will chance their arm.

At present I have the policies set to scan but allow to run ( for any flagged applications) so that I get a lie of the land to see what applications are being picked up by our scheduled scanning. I would like to be able to get to a position where we can flag certain exe's or known, sophos listed, programs that we can block.

An example might be for example instant messaging clients or browser toolbars.  If I want a specific IM client permitted, and put a block on all the others listed, how does the AV client handle this? Does it treat the application in the same way it would a detected virus (i.e. If my policy says deny access to a suspect file, then will this do same for the 'suspect' application?)

How does Sophos deal with this?  Are there any major differences with application control for Sophos 9.0 and 9.5? (As I'm in the process of planning out the 9.5 roll-out)

On a silimar note, but from another perspective; If I have a suspicious file (e.g. crack-file.exe) which is listed under the "suspicious files" on the authorisation manager is there a way to track down in the reports the system on which that file was found? I assumed that it could be picked up from the "application control events" menu, but that doesn't appear to be the case.

Apologies if this does all sound very beginner'ish, but I can assure you I have spent days trawling through the various online support documents, when I (probably) should have been getting a lab setup with various scenarious, in order to try and track it down.

Thanks in advance for any assistance you can provide

:4234


This thread was automatically locked due to age.
Parents
  • 0

    From your perspective it could be a tough one to call. As the saying goes; you can't please everyone all the time...

    From my experience most users will have no interest in what the pop-up is, they are going to be none to happy that their app is no longer  working. They will either accept that the policy doesn't allow it, or they will log a complaint with the IT team.

    In my personal opinion, I would prefer to see the message kept as simple as possible, something along the lines of;

    Controlled application blocked by Sophos

    The application '<Application Name>' has been detected

    [Then your custom text]  <- I typically set the text to advise the user to contact the IT team if necessary.

    In my opinion I would leave the application path out of the pop-up. The sophos client application on the computer does show the application paths in the quarantine list, so the IT techs can locate the files this way if needs be.

    :4288
Reply
  • 0

    From your perspective it could be a tough one to call. As the saying goes; you can't please everyone all the time...

    From my experience most users will have no interest in what the pop-up is, they are going to be none to happy that their app is no longer  working. They will either accept that the policy doesn't allow it, or they will log a complaint with the IT team.

    In my personal opinion, I would prefer to see the message kept as simple as possible, something along the lines of;

    Controlled application blocked by Sophos

    The application '<Application Name>' has been detected

    [Then your custom text]  <- I typically set the text to advise the user to contact the IT team if necessary.

    In my opinion I would leave the application path out of the pop-up. The sophos client application on the computer does show the application paths in the quarantine list, so the IT techs can locate the files this way if needs be.

    :4288
Children
No Data
Unfiltered HTML