Application Control - IRFANVIEW not working

When testing APPC, I tend to use the SophosSAVICLI.exe just to see if it's detected:

e.g.

&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

The directories will differ but they key thing is the -controlled switch.

As a test:

&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\Internet Explorer\iexplore.exe"
...
'AppC/IE11-Gen' found in file C:\Program Files\Internet Explorer\iexplore.exe

So as you'd expect iexplore.exe is detected by Application control as AppC/IE11-Gen.

Usually an application control identity, detects both the installer and the app. In this case, though I can't see to get any of the files from:
https://www.fosshub.com/IrfanView.html? to be detected, be it the installer, the main exe for the last few older versions.

I would raise a ticket with Support as it should be detected given you can select it in policy.  

https://support.sophos.com/support/s/filesubmission?language=en_US should also work (I get an answer) but might be slower?

This would detected using the CLI regardless of policy: So even if you've sent a policy to block this app, e.g. at the client: app_control_blocked_app_list under HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ApplicationControl\[latestrevision]\ contains: IrfanView.

Hope it help. Thanks.

It doesn't appear to be a new one, i.e. the data feed has it for the policy but the EP hasn't caught up:
https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications

It has the page: https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/IrfanView 

 Application Control  contains the notifications and I don't see it listed in any of the recent notifications.  Given the age of the app, I assume it's quite an old identity?

I went back to iview451_x64_setup.exe, the installer wasn't detected but the main exe then was:

&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

'AppC/Irfan-Gen' found in file C:\Program Files\IrfanView\i_view64.exe

So it looks like the generic identity needs an update.

It doesn't appear to be a new one, i.e. the data feed has it for the policy but the EP hasn't caught up:
https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications

It has the page: https://www.sophos.com/en-us/threat-center/threat-analyses/controlled-applications/IrfanView 

 Application Control  contains the notifications and I don't see it listed in any of the recent notifications.  Given the age of the app, I assume it's quite an old identity?

I went back to iview451_x64_setup.exe, the installer wasn't detected but the main exe then was:

&"C:\Program Files\Sophos\Sophos Standalone Engine\engine1\engine\17104344824937349\SophosSAVICLI.exe" -controlled -vdldir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" -idedir="C:\Program Files\Sophos\Sophos Standalone Engine\engine1\data\17134272646636230" "C:\Program Files\IrfanView\i_view64.exe"

'AppC/Irfan-Gen' found in file C:\Program Files\IrfanView\i_view64.exe

So it looks like the generic identity needs an update.