21 January 2011

Sophos Application Control Policy - implementation guide

A feature that I have always found very useful as part of the Sophos product is the Application Control.  As the name suggests it allows you to control which applications are allowed to run on a client machine and which ones are not.

Initially I started off just blocking software updates for Java and Adobe Reader.  As I am busy experimenting with policies for Sophos 9.5 I figured I would use it more extensively.




From the Enterprise Console in the Policies pane expand Application Control.
Create a new policy and edit it.

Scanning


The enable on-access scanning will check for application execution in real time.
Detect but allow to run will do just that, this is very usefull for initially establishing a application baseline, since all detected application will be reported on.
Enable on-demand and scheduled scanning will look for the applications on the machine during a scan.  This allows you to detect application without them being executed.

Messaging


Enabling desktop messaging will pop up the system tray message when an unauthorized application is detected.

You will definitely want to disable this when you have  "Detect but allow to run"  checked from the scanning options.
This will prevent users seeing loads of pop up messages while you are establishing your baseline.

You will also want to definitely enable this when you start blocking application from executing.  If you don't users will only experience OS level messages about access right to the application.



You can see the different options here.

Fist is the OS level error.
In the popup message you can see the default description in the red section.  While the custom "message text" is displayed in the green section.

Authorization
This is where the actual control element lies.


By Selecting the application types (orange) you will see the authorized and blocked windows populated.

All the items in Authorized will be allowed to run

All the Blocked items will be blocked, reported and or messaged on.


In my example here I would like to prevent browsers that do not meet the relevant criteria the be blocked from executing.

As part of my test I blocked Firefox.   Interestingly I was allowed to download the installation files but i could not even launch the installer before being notified and blocked.

While going through these application types you will always see an item called "All added by Sophos in the future"
I am assuming the idea here is that Sophos will include potential application that may be useful to block.  I would have like the ability to add my own list of application /executables.

Conclusion
By using application control policies you can get a better idea of your environment and the application running on your machines.  It also gives you the ability to control the execution of them.  This covers the gap left by suspicious files, Adware and PUA etc. cleanup and authorization configuration in the Antivirus and HIPS policy. It controls legitimate application you do not want to allow in your environment.

1 comment:

jessshallop said...

it does not work for me. the policy pushes through and is applied to my laptop but i can still access, download and install applications. do you have any idea why this is happening?

Post a Comment