Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 4850 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control - On-Access-Scan - how to use correctly?

Henning Flier

Greetings from Cologne, Germany,

we are using Sophos Endpoint Security 10.7 and we don´t understand the full implications of Application-Control with On-Access-Scan enabled. What we do: We install Sophos Enpoint Security with standard options and configure the update servers. So far, so good.

We are using automated (unattended) installation routines for windows 10, but when it comes to Sophos configuration, we do not have a method to check that application-control checkbox automatically so we have to do it by hand. We are wondering, if it is really necessary to check this box, though we do not distibute any policies and we do not use any centralized console system for Sophos Management.

How does Application-Control really work? Is it actually useful to check this feature when there is no management console provided? My personal understanding of this feature ist, that there has to be a central white-/ blacklist program configuration. As long as you dont come up with this, there is no use for this feature at the endpoint.

 

Thanks for your answers in advance

H.Flier



This thread was automatically locked due to age.
  • +1

    Without management, either from Central or Enterprise Console, and therefore without an application control policy being sent to the endpoint Application Control it will do nothing.

    Application Control uses data created by SophosLabs to identify applications but the individual applications and groups to control are set in policy.

    Potentially Unwanted Applications (PUA), should not be confused with Application Control: Although SophosLabs data is used to detect them, this class of detection doesn't require a policy, it will detect items such as pskill, psexec, etc.. which you can then choose to authorize if you want them to run.

    If the unmanaged clients are updating directly from Sophos there is no way to get an application control policy configured through the updating channel. However, If you were using SEC to download and create a distribution point (sometimes called CID), you can use the command line tools exportconfig and configcid to create an XML file which defines the application control policy.  This can be placed into a CID.  AutoUpdate on the client, using a local CID can consume this XML file to configure SAV with application control based on the policy exported from SEC. You can install the endpoint without the RMS component, i.e the management software which the application control policy would typically go down to the endpoint via.  Here you are using the updating channel to set the config.  The downside being, each time you change the policy, you need to export and config the cid with the new XML.

    Regards,

    Jak

Unfiltered HTML