Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 1 subscriber
  • Views 5176 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control - poor decisions

MawfTech

Well I've not been back here for a while but it's time for another post and this time I'd like feedback from you guys about a decision Sophos has made regarding app control.

We use app control extensively and I block most things not related to our business by default (games, peer to peer etc). One noteable change recently was for Sophos to now add a Firefox V7 and higher policy option. Now while I fully understand the reason for this because of the mindless version updates vomiting out of the Mozilla labs at the moment, I don't understand why they don't pick off the major version numbers and especially, the ability to block beta versions. I've about 20% of users at  my organization that use Firefox and of those, about a third watch the firefox website like hawks always wanting the latest, greatest version even if it's not tested and released. Previously, by allowing specific versions and blocking everything else, I had the ability to lock down to only released versions and I also had the ability to lockout old defunct versions that were either to vulnerable or really not fit for purpose (v7 immediately springs to mind!). Now, my users are freely downloading v9 beta, installing it, using it and I have absolutely no control over that with Sophos because they've adopted a v7+ identity only. How bad is that!

I'd like to get some feedback on whether you feel this is the right approach or not. As administrators, we know that the FF version change every 30 days is a big problem and I know there will be a few people out there that don't really care that users can get to higher versions even untested betas and alphas but I and many others do. How does the community feel about this approach?

 Should we at the very least still continue to get individual version control? Should we have the v7+ AND the individual version control?

Matt

:19333


This thread was automatically locked due to age.
  • 0

    Hello Matt,

    I had initially the same thoughts as you when I first saw this V7+ entity. In fact it has not changed as much as it might seem. The same problem existed when version numbering was different. You could neither force nor block a specific release (say .3.6.11) some of them definitely not better than some recent "versions".

    Guess what is needed is checksumming like SCF does (and there's still the plethora of add-ons where you have almost no control at all). 

    Christian

    :19343
  • 0

    Hello Matt,

    Firstly, can I confirm that you have applied the FF V7+ identity and set it to block, yet your users can still run the V9 beta? If that is the case, then Sophos Labs can rapidly update the identity to cover this. The quickest thing to do is to send a sample.

    With regard to your question - "Should we have the v7+ AND the individual version control?" I agree that there would be value in this and that you could either select all versions above version 7 or select individual versions. Unfortunately, this is not technically possible with the current implementation of Application Control.

    The way that Application Control works is that an identity will be triggered whether an action is assigned to it or not. So, for example, FireFox 8 runs, it is scanned against the V7+ identity and it returns that the identity is triggered. At this point, no more identities will be scanned. This means that if there was a Firefox 8 only identity, it would not be triggered. If you have V7+ set to allow and V8 set to block, you would not see the correct behaviour. For this reason, we can only have one identity which encompasses all options. Hopefully that makes sense. It's something that could be improved upon in a later release.

    Thanks,

    Dan Kirtley

    Product Manager, Application Control

    :19421
  • 0

    Hi Dan,

    Hmm. Yes, we currently allow FF7+ because we have users that want to use FF8 so don't follow your experiment. I'm sure that if I set it to block FF7+, it would block the beta of 9 too but I have no granular control over stopping anything 7 or higher, only the option to alow all version 7+ including the 9 beta or block all.

    I understand your FF7+ + individual versions reasons, this was not something I want, I was just explaining that if people like the current choice then let them stick with it with a FF7+ identity. Others who want to maintain sanity on their networks need the individual control or at the very least, the ability to cap off the version allowed not make it 'and anything higher' including beta's.

    I've put in a request for individual versions but tech support say this takes too long and is too much work given that FF will replace every 30 days or so. Really, that's not good enough, you have now explicitly allowed beta's and worse alphas to become acceptable. Why does it take minutes to produce a virus identity and days/weeks to produce an application identity. Surely it's the same process. Not only that you actually state below that you can 'rapidly update the indentity'.

    Matt

    :19427
  • 0

    Hi Matt,

    Yes - we can rapidly update an identity once it is in place. The part which is slow is to create the identity and push it down to the Enterprise Console. This happens on a monthly basis but the data is finalised way before the release. With FF7+ as an identity we can update any new versions when they are released and for the most part, the detections are generic enough so that we don't even need to see the application before it is detected. If we did not have this identity and remained on FF7, FF8, FF9 etc. we would have to wait for a window to push out the new identity every time Mozilla release a new version.

    Thanks,

    Dan

    :19445
  • 0

    Hi Dan,

    You're missing the point though. By only creating a single identity, you've killed the effectiveness of the system. I had control over versions previously and now I don't. I had the ability to say that users could ONLY run the approved versions this prevented them from downloading and installing anything not approved. Now, they are free to fetch any version 7+ and higher including betas, alphas, unreleased submissions to the project etc. and run without any argument from Sophos. That's the killer! I'm quite happy if you create an 'unknown' versions (i.e. a versions not yet released) identity for those that want to give users this ability and you can update that as rapidly as you like once released (including removing FF versions when released from this identity) but give me back the individual versions - even if it does take a month to release - I'm sure you could produce one NOW for v.9 (the projects been running several weeks already) and release in the next apps update similarly, there's nothing stopping you from producing a v7 and v8 identity and releasing so I can kill off v7, allow v8 and be prepared for v9 once it's stable and released - looks like v9.01 might be stable enough. 9.0beta looks like it's a dog.

    Matt

    :19559
  • 0
    Hello Matt and Dan (and all other potential listeners),

    if I understand correctly the arduous part is creating an entry in the first place. In terms of detection it is a stub where detection identities can be plugged in (and I assume these can be distributed with the usual threat detection data updates), the required management data for adding an entry can only get distributed with a "monthly" update though.
    @Matt: I'm repeating myself - the former entries did not enable you to enforce something like "at least 3.16" or "at most 4.3" and major version changes ran "undetected". You were also not able to block any FF5 builds including the first general releases because AppCtrl did not know FF5 and there is no "catch all Firefox". Thus the V7+ entry is not a step backwards, it just makes the deficits which "always" existed more obvious.
    @Dan: I assume it is possible to create - at a later time - a, say, V7-9 and a V10+ entry. If in fact it is intended to "close" V7+ then the + is not the ideal name. And any line drawn (or versions bundled) will probably lead to discussions ("it should be V7-11 not V7-12").

    Christian
    :19613
  • 0

    Hi Matt and Christian,

    Christian - you are correct in your understanding and your explanations. Matt, I understand your request to have V7, V8, V9 etc. and a V7+ identity but it is technically impossible with the current implementation. We (Sophos) plan to release a more customisable version of application control in a later release which would allow administrators to create their own identities.

    Christian - "If in fact it is intended to "close" V7+ then the + is not the ideal name" - Sorry, could you explain what you mean by this?

    Thanks,

    Dan

    :19617
  • 0
    Hello Dan,

    depending on the availability of a new implementation and the progress of Firefox a certain FF version might warrant a new entity to be created - for example if V12 is fundamentally different from the current branch. V7+ is not assumed to cover "all future versions", so what if a new Firefox arrives before Sophos' new implementation?

    Christian
    :19619
  • 0

    Christian,

    Generally, Sophos released the major version detections in the monthly app releases while the products were in beta. And, e.g. v9 has now been in beta since 9th Nov (alpha since mid October) so, plenty of time to produce a v9 identity before release.

    The issue as I see it is that Sophos don't want the support calls from people saying that Firefox has been blocked because someone updated from vX to vY through auto-update so they have produced and identity that they keep updated with a vA-vZ generalisation. That's great for people that just want users to update whenever. Unfortunately, this has now stopped the individual version releases which means that previously I had the ability to block while it was in the early stages of beta (usually around beta 1 or 2) because they pre-released appropriate detection and then subsequently kept it up to date. Now, even though v9 beta has been around long enough for a general release of detection, it's not being released because it falls into this catchall v7+ identity only and yes, all the betas are detected by the v7+ identity even I believe the v9b5 which was released just 2 days ago.

    I hear what Dan's saying that it's not possible in the current system to release a v0-99 and a V7 detection and have people allow V0-99 and deny V7, I understand that  (though should be easy enough to build in for future so they should consider this). But, they should continue to release the major version identities regardless - I'm sure there would be less problem dealing with the administrators not understanding that the generalisation v0-99 detection overrides the individual version identities than from those like me who just want to block specific versions i.e. retain control over what exactly is running on my network.

    Matt

    :19633
  • 0

    Hi Christian,

    There are options available to us. The identities which the labs create are flexible enough so that they can be updated for any change to the application. If there was a perceived need to create a new FF12 identity (for example) then we could change the name of the FF7+ identity to FF7-11. Of course, we can cross that bridge when we come to it.

    Thanks,

    Dan

    :19635