In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

Sophos Client Firewall: security implications of configuring applications

The Applications tabbed page in the Sophos Client firewall configuration program, Sophos Client Firewall Configuration Editor, allows you to edit the configuration for applications.

The following basic Windows networking applications are given access to the network through the Sophos Client Firewall by default:

• alg.exe
• lsass.exe
• services.exe
• svchost.exe
• userinit.exe
• winlogon.exe

A knowledgebase article lists the default settings for these applications.

Applications tabbed page

In the Applications tabbed page, you can specify a particular application, and then say whether you want to trust it, block it, or a create a new custom rule for it.

It is easiest to set up a basic configuration for a new application on a sample computer in interactive mode. You can then customize rules and other settings manually.

Note: When you first select an application in non-interactive mode, by default it is trusted.

Checking settings for an application

Once you have allowed access for an application in the firewall either interactively, or non-interactively, you should check the settings for that application.

1. Checksums

Select the 'Checksums' tabbed page, and ensure that the application is listed there. If it is not, and should be, check your settings in the 'General' tabbed page.

2. Using presets

The Sophos Client Firewall can use presets for known product types, e.g. browsers, email and instant messaging clients. To view the available presets, select the dropdown arrow by the 'Custom' icon.

The presets you can select from are:

• Browser
  Web browsers, for example Internet Explorer.
• Database client
  Web database administration client, for example SQL Server Web Data Administrator.
• Email client
  Email programs, for example Outlook.
  If you need only one of POP or IMAP, you can use a rule to disable the other.
• FTP client
  File Transfer Protocol (FTP) client, for example WS FTP or CuteFTP.
• IM client
  Instant messaging programs, for example MSN Messenger or Skype.
  You can use a rule to specify ports, etc.
• Network client
  Network clients such as the Novell Client. The Microsoft networking client is allowed by default.
• Remote access client
  Remote access software such as Virtual Private Network (VPN) clients.
• Time synchroniser
  Synchtime, atom clock, programs using NTP (network time protocol).

Note: Any outstanding Sophos Client Firewall alerts about a previously untrusted application on the local computer will not go away automatically when that application is added to the configuration dialog as trusted. You will have to clear such alerts manually from the Log tabbed page. Once those alerts have been cleared, no more will be generated.

How the firewall handles application access

When an application requests access to the network or internet, the firewall checks this request in three stages:

1. Checksum list
2. Application list
3. Global rules.

1. Checksum list

The first check ascertains if the application requesting access to the network has a checksum (MD5 hash) matching one in the list.

• If the checksum is not in the list, the application is blocked.
• If the checksum is in the list, the application name is checked.

Note: If checksums are turned off, this step is missed out.

2. Application list

The next check ascertains if the application has a rule set up for it. This will be listed under the application name in the Application tabbed page.

• If there is a rule set for the application, then it will be used in preference to the global rules.
• If there is no rule set for that application, the global rules are used to define how it can act within the network.

3. Global rules

The global rules list is checked last. As these are usually the rules that will be used for anything that lacks specific rules, but needs limitations on network access, these rules should lock down the system the most severely.

Other Sophos Client Firewall pages

Further knowledgebase articles describe the security implications of changing other options:

• General, LAN and Logs
• Global Rules
• ICMP
• Processes

If you need more information or guidance, then please contact technical support.

• Article ID: 14199
• Created: 16 Dec 2005
• Last updated: 6 Oct 2008

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement