Application Control Logs

Question

Hi all, 
 
 We are using Sophos Enterprise Console v5.5.0 to centrally manage\configure our Sophos Endpoint Security and Control solution. 
 I came across a Sophos article (dated Jan. 2019 - link below) which advised, among other things, blocking Powershell by default using Application Control within Enterprise Console. 
 https://nakedsecurity.sophos.com/2019/01/25/fighting-emotet-lessons-from-the-front-line/ 
 I implemented the recommendation on most of our users and to my mild surprise found that Application Control had blocked Powershell on a few PCs. 
 I'm trying to discern if this activity was legitimate, but cannot locate a relevant log file (on the client-side or server-side) which may assist in this task. 
 Could someone please point me in the direction of any log file which may help? 
 
 Many thanks for your assistance in this matter. 
 
 John P

RodS · Accepted Answer

Hi John, 
 For Endpoint Security and Control clients managed by Enterprise Console, there may be more detail for Application Control detections in the SAV.txt logs (Anti-virus logs). 
 
 On a client machine SAV.txt can be found in the following folder: C:\ProgramData\Sophos\Sophos Anti-Virus\logs 
 
 Please let us know if you have any further questions. 
 
 Regards,

QC · Answer

Hello John P, 
 the more detail RodS mentions does not include a potential caller. An Application Control event doesn't even denote the launch of [an] application . It's a by-product of scanning (On-Access or also on-demand/scheduled). AFAIK SAV doesn't log the process accessing a file but maybe it can. Anyway, you can use Process Monitor to find, if not the what , at least the immediate caller. Coincidentally the other day I had HPMal alerts for a Powershell invocation. Turned out the caller was wscript.exe executing a .vbs . wscript in turn was started by a scheduled task. In this case I filtered File System Activity , Path ends with powershell.exe . This not only showed that t he caller was wscript.exe but that it was called by taskeng.exe that also accessed the .vbs . In case there's another intermediate you'd need an additional ends with but that's a no-brainer. 
 Christian