Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 1 subscriber
  • Views 5165 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application control - poor decisions

MawfTech

Well I've not been back here for a while but it's time for another post and this time I'd like feedback from you guys about a decision Sophos has made regarding app control.

We use app control extensively and I block most things not related to our business by default (games, peer to peer etc). One noteable change recently was for Sophos to now add a Firefox V7 and higher policy option. Now while I fully understand the reason for this because of the mindless version updates vomiting out of the Mozilla labs at the moment, I don't understand why they don't pick off the major version numbers and especially, the ability to block beta versions. I've about 20% of users at  my organization that use Firefox and of those, about a third watch the firefox website like hawks always wanting the latest, greatest version even if it's not tested and released. Previously, by allowing specific versions and blocking everything else, I had the ability to lock down to only released versions and I also had the ability to lockout old defunct versions that were either to vulnerable or really not fit for purpose (v7 immediately springs to mind!). Now, my users are freely downloading v9 beta, installing it, using it and I have absolutely no control over that with Sophos because they've adopted a v7+ identity only. How bad is that!

I'd like to get some feedback on whether you feel this is the right approach or not. As administrators, we know that the FF version change every 30 days is a big problem and I know there will be a few people out there that don't really care that users can get to higher versions even untested betas and alphas but I and many others do. How does the community feel about this approach?

 Should we at the very least still continue to get individual version control? Should we have the v7+ AND the individual version control?

Matt

:19333


This thread was automatically locked due to age.
  • 0

    Hello Dan,

    thanks for the confirmation. Might nevertheless - if it ever happens - cause confusion (who reads announcements anyway :smileywink:).

    @Matt: IIRC Firefox 5 could not be blocked for some time even after general release (with the installer being detected as belonging to FF4), so I wonder how you have been able to block  pre-releases?

    Christian

    :19669
  • 0

    Must admit Christian that FF5 release came and went as a bit of a blur to me but was blockable fairly shortly after release from what I recall. At that point too, the automatic updates of FF5 weren't so aggressive (actually can't recall if it actually had auto-update either). 

    What I don't quite get here is the 'we can't' statements coming out of Sophos. Seriously! You can't detect a major version number in a product? As now, FF9 which isn't released is detected in the FF7+ identity so they do know about it and can distinguish it from other types of apps. Releasing an app control identity in the monthly releases should be enough for me to block it. That should have been done at the start of December. FF10 alpha code is available now (not sure if it's at build status yet) so work should be commencing on the FF10 detection (possibly already there in the FF7+ detection) so they should be looking at an app control release for FF10 in the January releases. As they do say, once the app-control release is made, keeping it up to date is easy and only takes minutes.

    Matt

    :19673
  • 0

    Now it's not just looking at the version string of firefox.exe as this mechanism would be too simple to defeat. In fact with a few exceptions (FF, IE, Adobe Reader, MS Office, Remote Desktop) the entries are version agnostic. You might call the design decision unfortunate but that's how it is at the moment - initially Application Control was intended to block certain classes of applications or to allow only a few specific ones for a given purpose (and probably there haven't been many requests for stricter version control). Thus adding another entry might involve more than just a few clicks and keystrokes.

    Guess Sophos is listening but you'd have to make your case for strict version control (there are IMO some applications I don't quite understand how they've made it on the list: GIMP - productivity? - or SAP CRM Mobile -??), describe the scenario, explain what it would gain or what risks or losses it could help to avoid and why you can't achieve this (easily) by other means. Needn't be a novel.

    Right now at least four components overlap here: Application Control, Data Control, NAC and SCF,  and two more are to some extent involved: A-V (with PUA detection) and Patch Assessment (though it does not enforce a decision). Medium term I expect some convergence (and perhaps something like version/patch enforcement). OTOH mobile security and securing "the cloud" might have a higher priority.

    Christian

    :19675
  • 0

    To be totally flexible, like Microsoft's Software Restriction Policy (http://technet.microsoft.com/en-us/library/bb457006.aspx#EKAA , http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx ) it would be good if you could create your own custom categories in the app control policy and add your own entries using path rules/checksums/certificate to identify applications.  

    Something similar could be used in Adware/PUA also.  With the way it's going interms of generic detections and a lot of the logic of if something's good or bad resting on the admins shoulders with a flag here and there from Sophos, the software may as well let the admin have control over the identities in effect.  App control seems a good place to start.

    I may have an in-house application that the IT department have but I don't want Sales to install.  This software will never be used by anyone else outside of my company, Sophos will never add it to a category in a million years.  If I could create my own category, let's call it "bespoke software", via SEC I create a hashrule of this application, and I block it for the various SEC groups mentioned.

    This is the way to go in my opinion.

    Jak

    :19737
  • 0

    Hi Jak,

    Thanks for your response. I refer you to my previous comment - "We (Sophos) plan to release a more customisable version of application control in a later release which would allow administrators to create their own identities."

    You're correct that it would not be realistic for Sophos to maintain identities for internal applications. Indeed, there will be many cases when our customers do not want to send samples of their own software to Sophos or any external third party.

    Dan

    :19743