Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 1 subscriber
  • Views 5165 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control - poor decisions

MawfTech

Well I've not been back here for a while but it's time for another post and this time I'd like feedback from you guys about a decision Sophos has made regarding app control.

We use app control extensively and I block most things not related to our business by default (games, peer to peer etc). One noteable change recently was for Sophos to now add a Firefox V7 and higher policy option. Now while I fully understand the reason for this because of the mindless version updates vomiting out of the Mozilla labs at the moment, I don't understand why they don't pick off the major version numbers and especially, the ability to block beta versions. I've about 20% of users at  my organization that use Firefox and of those, about a third watch the firefox website like hawks always wanting the latest, greatest version even if it's not tested and released. Previously, by allowing specific versions and blocking everything else, I had the ability to lock down to only released versions and I also had the ability to lockout old defunct versions that were either to vulnerable or really not fit for purpose (v7 immediately springs to mind!). Now, my users are freely downloading v9 beta, installing it, using it and I have absolutely no control over that with Sophos because they've adopted a v7+ identity only. How bad is that!

I'd like to get some feedback on whether you feel this is the right approach or not. As administrators, we know that the FF version change every 30 days is a big problem and I know there will be a few people out there that don't really care that users can get to higher versions even untested betas and alphas but I and many others do. How does the community feel about this approach?

 Should we at the very least still continue to get individual version control? Should we have the v7+ AND the individual version control?

Matt

:19333


This thread was automatically locked due to age.
Parents
  • 0

    Christian,

    Generally, Sophos released the major version detections in the monthly app releases while the products were in beta. And, e.g. v9 has now been in beta since 9th Nov (alpha since mid October) so, plenty of time to produce a v9 identity before release.

    The issue as I see it is that Sophos don't want the support calls from people saying that Firefox has been blocked because someone updated from vX to vY through auto-update so they have produced and identity that they keep updated with a vA-vZ generalisation. That's great for people that just want users to update whenever. Unfortunately, this has now stopped the individual version releases which means that previously I had the ability to block while it was in the early stages of beta (usually around beta 1 or 2) because they pre-released appropriate detection and then subsequently kept it up to date. Now, even though v9 beta has been around long enough for a general release of detection, it's not being released because it falls into this catchall v7+ identity only and yes, all the betas are detected by the v7+ identity even I believe the v9b5 which was released just 2 days ago.

    I hear what Dan's saying that it's not possible in the current system to release a v0-99 and a V7 detection and have people allow V0-99 and deny V7, I understand that  (though should be easy enough to build in for future so they should consider this). But, they should continue to release the major version identities regardless - I'm sure there would be less problem dealing with the administrators not understanding that the generalisation v0-99 detection overrides the individual version identities than from those like me who just want to block specific versions i.e. retain control over what exactly is running on my network.

    Matt

    :19633
Reply
  • 0

    Christian,

    Generally, Sophos released the major version detections in the monthly app releases while the products were in beta. And, e.g. v9 has now been in beta since 9th Nov (alpha since mid October) so, plenty of time to produce a v9 identity before release.

    The issue as I see it is that Sophos don't want the support calls from people saying that Firefox has been blocked because someone updated from vX to vY through auto-update so they have produced and identity that they keep updated with a vA-vZ generalisation. That's great for people that just want users to update whenever. Unfortunately, this has now stopped the individual version releases which means that previously I had the ability to block while it was in the early stages of beta (usually around beta 1 or 2) because they pre-released appropriate detection and then subsequently kept it up to date. Now, even though v9 beta has been around long enough for a general release of detection, it's not being released because it falls into this catchall v7+ identity only and yes, all the betas are detected by the v7+ identity even I believe the v9b5 which was released just 2 days ago.

    I hear what Dan's saying that it's not possible in the current system to release a v0-99 and a V7 detection and have people allow V0-99 and deny V7, I understand that  (though should be easy enough to build in for future so they should consider this). But, they should continue to release the major version identities regardless - I'm sure there would be less problem dealing with the administrators not understanding that the generalisation v0-99 detection overrides the individual version identities than from those like me who just want to block specific versions i.e. retain control over what exactly is running on my network.

    Matt

    :19633
Children
No Data