Sophos Application Control, or not…

August 12, 2008

Before I forget, I was on a Sophos Training course the other week. The usual fare, although props to the chap who hosted it – managed to make what is essentially pretty dull stuff into a fairly entertaining couple of days. 

Anyway, the point is, having looked at the new Sophos Endpoint suite, extolled the virtues of NAC and so on, we talked on and did a couple of labs around the (sorry if I forget the exact terminology, I am slightly rushed here) Application Control – where Sophos can apparently prevent users executing specified applications on the local workstation. Sounds great, thing is, I decided to RENAME the app we tested (Spider.exe), fully expecting it to make no difference (c’mon, surely this kind of thing would use a hash/checksum mechanism) but NO. That’s right, if you simply RENAME the restricted application it works fine, unfettered by Sophos…

Foursys (the Sophos partner providing the training/promo course) assure me this will be rectified in the near future, once they have relayed this information back to Sophos. I get the feeling this feature was somewhat rushed out. At least I hope that’s the excuse/reason for this incredibly weak method!

One Response to “Sophos Application Control, or not…”

  1. Hi,

    I look after application control functionality within Sophos. Following your blog post, I asked our labs to have another look at the detection for spider.exe (MS Spider Solitaire) and it appears to cope okay with a simple renaming of the file i.e. the file will still be blocked if it is renamed. Can you provide more detail on the steps used to circumnavigate the blocking policy? I can get our Labs team to have another look at the problem.

    As you’d expect the Sophos application control capability is designed to handle simple file renaming. We use a mixture of file attributes such as file size, API references and version information checks to ensure the detection is robust.

    – John Stringer
    – Sophos Product Management

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: