Sophos Anti-Virus for Windows 2000+: application control rollout guidelines
Sophos Anti-Virus for Windows 2000+, version 7, includes application control. When first installed, application control is not enabled.
Note:
- Application control can only be configured from Enterprise Console, it cannot be configured at the local computer.
- A separate article describes upgrading from Sophos Anti-Virus, version 6, with application control.
Sophos recommends a phased deployment of application control across your network. This will allow you to
- assess the possible impact of application blocking on your system,
- reduce the likelihood of disruption to users,
- inform users of what impact Application Control policy may have on them. This may help to reduce the initial impact on your company's IT support resources, when users find some applications are no longer available.
Only you can decide which applications you should block.
For more information on application control, see the Sophos Anti-Virus network startup and upgrade guides, and the Enterprise Console user manual.
What to do
When Sophos Anti-Virus for Windows 2000+, version 7, is first installed, all applications are allowed by default. You deploy Application control policies by group. Before deploying application control throughout your network, roll out to selected computers and test them.
1. Planning deployment of application control
Select the applications that you want to control. You can view the application types, and individual programs, as follows:
- Open Enterprise Console.
- In the Policies pane, double-click 'Application Control'. Then double-click the default policy.
- The Application Control policy dialog box is displayed.
- Click the 'Authorization' tab.
- In the 'Application Type' list, select an application type. The programs available for blocking can be seen in the 'Authorized' pane.
- Click 'Cancel' to close the dialog box.
There may be alternative means of controlling some of these applications, for example you can remove Windows games using Windows system policy.
Different groups of users will need different policies. For example, staff who use the telephone a lot may need an instant messaging program, while other staff will not. Take this into account when planning your policies.
2. Setting up a test application control policy
- Open Enterprise Console.
- In the Policies pane, double-click 'Application Control'.
- Right-click the default policy and select 'Duplicate policy'.
- Give the policy a name.
- Double-click your new policy.
- Select the 'Authorization' tab.
- Select an application type from the list, then add specific applications to the 'Blocked' list.
- Select the 'Scanning' tab.
- Select 'Enable on-demand and scheduled scanning'.
- Click 'OK' to finish.
Note:
- Do not enable on-access scanning at this point.
- An on-demand scan will detect the selected applications on your computers when a scan is run, but their use will not be blocked until you enable on-access scanning.
- Selecting 'All added by Sophos in the future' for a particular application type, in combination with on-access scanning, could lead to applications being unexpectedly blocked in the future. Take care when using this option.
If you add applications common on your network (e.g. Windows games on a network where they are installed), you will get large numbers of alerts when you run your first scan. It may be better to remove such applications before even a test deployment.
3. Applying the policy to a test group
- Right-click your test group.
- Select 'View group policy details'.
- In the 'Application Control' dropdown list, select your new policy.
- Click 'OK'.
The policy will be applied to your test computers.
4. Scanning your test group
Test your new policy on a group of computers by running a scan on them. The applications that you selected should be detected, and you can then decide whether to uninstall them, leave them blocked, or authorize them.
- Right-click the test group, or computers within the test group.
- Select 'Full system scan'.
A full system scan will run on the selected computers, and will detect any of the applications that you added to your policy. - Check the results of the scan.
- Uninstall any controlled applications that you don't want (if you enabled on-access scanning, disable it to do this).
- Authorize any applications that should not have been selected.
- Run another scan to check your policy settings.
Deploy the policy to futher groups when you are happy with the results of your test scans.
5. Deploying to your network
Deploy the application control policy across your network group by group. To make further policies, duplicate your original policy and edit it before assigning it to a group.
Run your new policies for a while, using on-demand scans to detect any new occurences of your selected applications.
Once you are confident that it will not disrupt your network, enable on-access scanning.
- Open Enterprise Console.
- In the Policies pane, double-click 'Application Control'.
- Double-click your chosen policy. The 'Application Control policy' dialog box is displayed.
- In the 'Scanning' tab, select the 'Enable on-access scanning' check box.
- Click 'OK' to close the dialog box.
6. Monitoring updates to application control
New applications will be added to the list of those controlled by Sophos Anti-Virus every month. A knowledgebase article details these additions.
Related articles:
- Deciding whether to allow or block suspicious files
- Administrator's rollout guide for potentially unwanted application (PUA) protection
If you need more information or guidance, then please contact technical support.
- Article ID: 26066
- Created: 15 Jun 2007
- Last updated: 6 Oct 2008
