Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 7 replies
  • Subscribers 4 subscribers
  • Views 3415 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Application Control Logs

isoffice

Hi all,

 

We are using Sophos Enterprise Console v5.5.0 to centrally manage\configure our Sophos Endpoint Security and Control solution.

I came across a Sophos article (dated Jan. 2019 - link below) which advised, among other things, blocking Powershell by default using Application Control within Enterprise Console.

https://nakedsecurity.sophos.com/2019/01/25/fighting-emotet-lessons-from-the-front-line/

I implemented the recommendation on most of our users and to my mild surprise found that Application Control had blocked Powershell on a few PCs.

I'm trying to discern if this activity was legitimate, but cannot locate a relevant log file (on the client-side or server-side) which may assist in this task.

Could someone please point me in the direction of any log file which may help?

 

Many thanks for your assistance in this matter.

 

John P



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    If a controlled application has been detected on the network, the event is generated in application control event logs which can be viewed from the Sophos Enterprise console. You can also set up alerts to be sent to your chosen recipients when an application control event has occurred. Let me know if this helps. 

  • 0 in reply to Shweta

    Hi Shweta,

     

    Thank you for your prompt reply.

    I have seen the entries in the Application Control Event Logs as described by you. However, I am trying to dig a bit deeper and see if I can determine what actually triggered the launch of the Powershell application on the client PC in the first place.

    I was hoping that a raw log file would exist (on the client or server hosting Enterprise Console) which gave me a bit more information.

    Any further information would be much appreciated.

     

    John P

  • +1 in reply to isoffice

    Hi John, 

    For Endpoint Security and Control clients managed by Enterprise Console, there may be more detail for Application Control detections in the SAV.txt logs (Anti-virus logs). 

     

    On a client machine SAV.txt can be found in the following folder: C:\ProgramData\Sophos\Sophos Anti-Virus\logs

     

    Please let us know if you have any further questions. 

     

    Regards, 

     

Reply
  • +1 in reply to isoffice

    Hi John, 

    For Endpoint Security and Control clients managed by Enterprise Console, there may be more detail for Application Control detections in the SAV.txt logs (Anti-virus logs). 

     

    On a client machine SAV.txt can be found in the following folder: C:\ProgramData\Sophos\Sophos Anti-Virus\logs

     

    Please let us know if you have any further questions. 

     

    Regards, 

     

Children
No Data