Application Control enables network administrators to block certain legitimate applications from running on work computers.
Typically, you would use Application Control to prevent users from running applications that are not a security threat, but that you decide are unsuitable for use in your workplace environment, e.g., games or instant messaging programs.
In accordance with your company policy on Application Control, you can authorize required applications, and block those which are not required - all from the central console.
This article answers some of the more common questions about Application Control.
Applies to the following Sophos product(s) and version(s)
Sophos Anti-Virus for Windows 2000+
How do I block an application?
All blocking and authorizing of programs is done in the Enterprise Console. Watch the video below to see how it works.
What sorts of Applications can be controlled?
Are there any applications that are blocked by default?
No. Sophos will not create a default list of blocked applications since there are many legitimate uses for applications that some companies may need. Furthermore, we cannot advise you about which applications to block: the control of applications should form part of your IT policy.
How do I block applications not listed in the console policy?
If you want to add an application that is not listed in the policy section you must request SophosLabs add the application.
After an application upgrades it is no longer blocked?
Sophos application control detection's are created with future versions of the application in mind. The majority of applications will still be blocked after an upgrade. On some occasions after a major upgrade they may not be blocked, for these circumstances we advise using the Application Control Request form to provide a sample of the upgraded application.
What is the release schedule for adding new applications to the policy list?
We provide notification of new additions to application control approximately 1-2 weeks ahead of release. We also confirm release once completed.
The current Application Control release schedule is posted on the Sophos Community
How are blocked applications detected?
Detection can be either via on-access scanning or on-demand (scheduled) scanning. The console policy also allows you to configure the on-access scanner to detect but allow the application while you build up an idea of what effect blocking applications will have on your users.
How do I unblock an previously blocked application?
See article 26095 for details.
What versions of Sophos Anti-Virus support the controlling of applications?
All currently supported versions of Sophos Anti-Virus for Windows allow applications - that appear on SophosLabs list - to be controlled.
Will Application Control automatically remove applications?
When Sophos Anti-Virus with Application Control detects a listed application, it allows you either to authorize or to block that application. You cannot use Sophos Anti-Virus to remove the application.
To remove an application you must temporarily disable on-access scanning for applications, then uninstall it in the standard way, using the uninstaller provided, or Windows add/remove programs in the Windows control panel.
I'm looking at the list of applications listed in the console's policy and it doesn't match the SophosLabs list.
The list should synchronize automatically when new anti-virus packages download. If the list does not appear to be in sync see article 114395 to refresh the list.
Do you have any tips for implementing an Application Control policy on my network?
The Policy Setup Guide is an excellent resource for planning and rolling out your policies. Aside from that we can offer a few tips:
- When you enable scheduled scanning for applications in the Application Control policy, you also have to set up an Anti-Virus and HIPS policy that includes a scheduled scan. You then have to apply both of these policies to the groups of computers that you would like to scan.
- Similarly, when you enable on-access scanning for applications in the Application Control policy, you must also apply an Anti-Virus and HIPS policy that has on-access scanning enabled to the same group of computers.
- The Application Control policy can be configured so that the on-access scanner only reports to the console applications that have been opened and that you are considering blocking. Hence selecting the 'Detect but allow to run' option will help you build up a picture of what effect a fully enabled application control policy will have on your users.
- Before deploying a new Application Control policy, explain to your users which applications will be controlled. This may help to reduce the initial impact on your company's IT support resources, when users find some applications are no longer available.
- Different groups of users will need different policies. For example, staff who use the telephone a lot may need an instant messaging program, while other staff will not. Take this into account when planning your policies.
- Deploy the application control policy across your network group by group. To make further policies, duplicate your original policy and edit it before assigning it to a group.
On the endpoint computer can I check the Application Control policy? For example to see which applications are blocked or not?
The only place where you can customize/change which applications are blocked and which are unblocked is from the central console, under the 'Application control' policy section. Locally on an endpoint computer you can only switch the feature off or on - but you must be a 'Sophos Administrator' to do this. You cannot customize the policy nor allow an application locally as the policy is set as per your IT administrator.
If you need to check which applications are blocked for a particular endpoint computer you should move to the Enterprise Console and review the policy. If this cannot be done you can open the machine.xml file in a text editor on the endpoint and search for either an application name which you believe is being blocked by Application Control or the phrase 'blockedAppCList' to find the beginning of the list of blocked applications as received from the central console.