Known issues in Sophos Control Center, version 4
- Computer names must use the standard ASCII 7 format to be valid in Sophos Control Center. Computers with names containing accented or non-Roman characters are not recognized.
- Application control
(DEF 27077) Application control events are generated without applications being run by a user. There are a number of scenarios where application control events that are not the result of the user running the application will be reported back to Sophos Control Center.
When an endpoint computer is restarted, an event will be generated if a controlled application has an entry within the Windows Start menu, for example, Microsoft Games.
When a user opens the Add or Remove Programs window, an event will be generated if a controlled application is on the list of programs.
An event will be generated when a user wants to view file properties of a controlled application (by right-clicking on the file and selecting Properties) or when a user hovers the mouse cursor over the file to view the file's tooltip.
In the Application Control Event Viewer, the User column may contain "NT Authority". The user will be reported as "NT Authority" as opposed to the user logged onto the endpoint if an application is detected during a scheduled scan, by a scheduled task being activated, or when the Start menu is enumerated.
Multiple application control events can be generated by a single application identity, for example, "MS Windows Games". This occurs when an identity covers multiple executables or detection is triggered against more than one application component. The latter case normally occurs for scheduled scans with application detection enabled.
(CR 28114) Sophos Control Center cannot show if a controlled application was detected locally or remotely. If a user attempts to install a controlled application that is blocked, the application will be prevented from being installed. An alert will be sent to Enterprise Console, but the alert will show neither the action that raised the alert nor where the installer was located. For more information about the application control event, see the Sophos Anti-Virus log file on the endpoint (C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt).
(SUG 29039) The block network bridging mode will not work in IPV6-only environments.
(WKI 37908) Devices that use the MTP protocol (Media Transfer Protocol) are not blocked using device control. By default, these devices cannot have data written to them using Windows Explorer. Camera devices are not blocked using device control. By default, these devices cannot have data written to them using Windows Explorer.
(WKI 30431) The "Kingston DataTraveler Vault" hardware-encrypted device is not covered by the "Secure Removable Storage" category within device control. Compared to other hardware-encrypted storage devices, this model uses a different mechanism to expose its encrypted storage partition. Currently this mechanism cannot be automatically detected and exempt.
(WKI 36186) In the "block bridged" mode it is not possible to generate the "block" events required to exempt Wireless or Modem device types.
(WKI 41288) Device control raises 2 alert messages when a CD drive which has not already been installed is plugged in. It should only raise 1 alert.
(WKI34739) Safe Stick is accessible even when blocked, or cannot be accessed if CD part is made Read only.
(WKI40161) Unable to block printers removable storage slots with device control policy. This is because device control does not work across a network share,
(DEF 22335) An allowed application is blocked temporarily by Sophos Client Firewall. When a Firewall policy is applied, all application rules are removed and then re-added. During this time, if an application that is allowed by the new policy tries to make an outbound connection, the application is blocked until the new policy is applied completely.
(SUG 18615) In some cases firewall rules are not applied to a running application or service until it is restarted. If a process was detected using "process verification" (for example, when it was launched it was a new or modified application), then a new firewall configuration will not be applied until after the application or service is restarted.
(WKI46954) Opening Internet Explorer 8 after installing Sophos Anti-Virus and Sophos firewall, a message screen 'Add/ Replace checksum' is displayed twice. This has also been seen with other network applications.