This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control query

Hi all,

I've just started to take a look at the application control settings on sophos AV. I'd be interested to hear from anyone that is properly using the application control settings to police applications on the network.

We have a globally spread workforce, who are all advanced technical users on notebook systems. Staff have local admin rights on their systems as they may be writing code / building applications on their systems. We make it quite clear that applications are not to be installed unless authorised by the IT department, in addition to our policy that we regularly autid machines for non-compliance. While most staff respect the IT polices that exist, there will always be one or two that will chance their arm.

At present I have the policies set to scan but allow to run ( for any flagged applications) so that I get a lie of the land to see what applications are being picked up by our scheduled scanning. I would like to be able to get to a position where we can flag certain exe's or known, sophos listed, programs that we can block.

An example might be for example instant messaging clients or browser toolbars.  If I want a specific IM client permitted, and put a block on all the others listed, how does the AV client handle this? Does it treat the application in the same way it would a detected virus (i.e. If my policy says deny access to a suspect file, then will this do same for the 'suspect' application?)

How does Sophos deal with this?  Are there any major differences with application control for Sophos 9.0 and 9.5? (As I'm in the process of planning out the 9.5 roll-out)

On a silimar note, but from another perspective; If I have a suspicious file (e.g. crack-file.exe) which is listed under the "suspicious files" on the authorisation manager is there a way to track down in the reports the system on which that file was found? I assumed that it could be picked up from the "application control events" menu, but that doesn't appear to be the case.

Apologies if this does all sound very beginner'ish, but I can assure you I have spent days trawling through the various online support documents, when I (probably) should have been getting a lab setup with various scenarious, in order to try and track it down.

Thanks in advance for any assistance you can provide

:4234


This thread was automatically locked due to age.
Parents
  • We are just setting up the application control, and would like to notify rather than block the applications,by just bringing up the message box saying that the controlled application has been detected and logged.

    We have put in a custom message, into the messaging box on the policy. ticked enable desktop messaging, ticked enable on access scanning and also ticked detect but allow to run.

    This still produces the notifications on the Enterprise software, but does not bring any message balloons up when a controlled application is run or installed.

    Some feedback also, as stated on a previous post, I do feel the messages are rather long and confusing. Rather than using the full path and executable file name in the message, the application name would be better (or an option to use either). I would rather have complete control over what message is displayed to make it quite clear that the user has tried to install or run something they shoudlnt have.

    Any help or advise is much appriciated. Thanks.

    :6827
Reply
  • We are just setting up the application control, and would like to notify rather than block the applications,by just bringing up the message box saying that the controlled application has been detected and logged.

    We have put in a custom message, into the messaging box on the policy. ticked enable desktop messaging, ticked enable on access scanning and also ticked detect but allow to run.

    This still produces the notifications on the Enterprise software, but does not bring any message balloons up when a controlled application is run or installed.

    Some feedback also, as stated on a previous post, I do feel the messages are rather long and confusing. Rather than using the full path and executable file name in the message, the application name would be better (or an option to use either). I would rather have complete control over what message is displayed to make it quite clear that the user has tried to install or run something they shoudlnt have.

    Any help or advise is much appriciated. Thanks.

    :6827
Children
No Data