This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos blocks Sysinternals Process Explorer and quarantines it as Controlled Application

I am working in a company with normal User Credentials, and recently Sophos AV didn't get Updates anymore, so I had to let it re-install anew by a tech Admin via Remote.

Right after that, the situation in the title appeared. Process Explorer, which I use now for several years (more than ten), can't be used anymore.

Process Explorer by Mark Russinovich can be downloaded from Microsoft Docs, I cannot understand why it is suddenly a controlled application.

Now, since I am not given any user rights to authorize this program (alledgedly the tech department doesn't know how....) I would like to suggest to remove this software from the list of controlled applications.

Thanks in advance



This thread was automatically locked due to age.
Parents
  • Hi  

    In the "Application control" policy, applications are authorized by default. System administrators select the applications they want to block. Please check this article to block/unblock the listed application. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
  • Hi Shweta, thanks for the answer. So the Admin did not say the truth to me when he said that he didn't block Process Explorer intenional, when I said to him it wasn't blocked before the re-install ? Did he have to activate blocking of this program manually ? -Sadly I couldn't see what he did b/c it was remotely done and I was locked out during the process.

  • I suspect what has happened is in the Application Control policy:

    The person who configured the Application Control policy applied to your device or user checked the "NEW APPLICATIONS ADDED TO THIS CATEGORY BY SOPHOS" option.  So as soon as Sophos added this it was blocked.

    Regards,
    Jak

  • Thank you jak ! Of course, as a user, I do not know this configuraton tool. It is most likely what is mentioned in the article that Shweta linked above.

    Why Sophos added this application in 2020 eludes me. It is a proven tool and has, amongst other things, a lower cpu footprint than the regular taskmanager.

    I could use it up to now only without admin rights anyway.

    Interesting detail: The admin I spoke to didn't even know Process Explorer.

  • Another interesting detail: As long as the blocked application is existing, Sophos notifies about blocking it. Mostly, when I open a filesector box in another application. Since Process Explorer isn't an application that is hooked into file operations, as it always has to be executed manually, this behavior is weird.

Reply
  • Another interesting detail: As long as the blocked application is existing, Sophos notifies about blocking it. Mostly, when I open a filesector box in another application. Since Process Explorer isn't an application that is hooked into file operations, as it always has to be executed manually, this behavior is weird.

Children
  • Hello Rudolf Zorn,

    Application Control is a by-product of On-Access/Real-Time scanning. It does not monitor process creation (i.e. execution) but file access regardless of the intent. As (Windows) Explorer opens the files when it displays a folder's contents controlled applications in this folder are detected.

    Christian   

  • Hello QC, this is for sure the right explanation. But ist's weird anyway, since none of the specific folders where the controlled app resides, are opened. But there maybe some access behavior or memory of them in a cache, and therefore I will delete those folders and restart explorer afterwards to end the annoyance. If that doesn't help, I will do a reboot (which I do not do often, b/c I only hibernate the machine most of the time and continue working after wakeup).