Sophos App Control – A response from Sophos…

August 18, 2008

Well, credit where it’s due – Sophos have responded to my post on the (apparent lack of robustness in) Endpoint Application Control. It would appear that this is no longer an issue in the latest release of Sophos Endpoint.

” I look after application control functionality within Sophos. Following your blog post, I asked our labs to have another look at the detection for spider.exe (MS Spider Solitaire) and it appears to cope okay with a simple renaming of the file i.e. the file will still be blocked if it is renamed. Can you provide more detail on the steps used to circumnavigate the blocking policy? I can get our Labs team to have another look at the problem.

As you’d expect the Sophos application control capability is designed to handle simple file renaming. We use a mixture of file attributes such as file size, API references and version information checks to ensure the detection is robust. ”

I will contact Sophos in the near future and discuss this further – for now it would appear that the issue has been resolved in the latest release. It would seem that renaming the application(s) only works on the previous version/s of Sophos (7 and earlier).

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: