Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 1 subscriber
  • Views 8041 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control Issue

aaron9615

I finally sat down and setup application control, way cool program :) My issue is after I clear out the software that is being flagged the PC is still denoted in the Computers over event threshold under Application Control. I have tried rescanning the PC, but nothing changes. Any ideas?

:51934


This thread was automatically locked due to age.
  • 0

    Hello,

    If you are referring to the 4 entries in the center of the Dashboard, these are on a rolling 7 day window, they will go up and down over time.  If you click on the hyperlinks it will take you to the filters that represents them, the name of the filter will confirm this timeframe.  

    Regards,

    Jak

    :51940
  • 0

    Hello aaron9615,

    Application Control events will not be cleared by a "negative" scan result, nor can you acknowledge them (like Alerts or Errors). As Jak has said, they will eventually roll out of the window. Thus you can't use the console/dashboard to detect new or recurrent use of controlled applications (though a custom Report, which can be scheduled, will give you this information).

    Christian 

    :51968
  • 0

    I found the best way to deal with AppControl detections is by e-mail notification and kind of ignoring it in the Sophos Console. Once you receive an e-mail notification from a given endpoint the offending application should be removed/uninstalled and then you will not receive e-mails from that endpoint anymore. This system worked great over the years, but beware you will get flooded with e-mails in the beginning depending on how well your ecosystem is protected from end-users installing stuff. I had to setup a huge list of e-mail filters to deal with it. Works great though.

    :52036
  • 0

    Thank you all for your replies, they were most helpful!

    :52180