Skip to content

Application Control Policy

Application control lets you detect and block applications that are not a security threat, but that you decide are unsuitable for use in the office.

Go to My Products > Endpoint > Policies to control applications.

To set up a policy, do as follows:

  • Create an Application Control policy. See Create or Edit a Policy.
  • Open the policy's Settings tab and configure the policy as described below. Make sure the policy is turned on.

We recommend that you detect the applications being used on your network and then decide which to block, as follows.

  1. In the Controlled Applications list, click Add/Edit List. This opens a dialog where you can see the categories of applications that you can control. Sophos supplies and updates the list.
  2. Click an application category, for example Browser plug-in. A full list of the applications in that category is displayed in the right-hand table.
  3. We recommend that you select the option Select all applications. You'll refine your selection later.
  4. Click Save to List and repeat for each category you want to control.


    If you want to control an application that isn't in the list supplied by Sophos, you can ask to have it added. Click the Application Control Request link at the bottom of the Settings tab.

  5. In Detection Options:

    1. Select Detect controlled applications during scheduled and on-demand scans.
    2. Do not select any other options for now.


    Application control uses the scheduled scans and the scanning options (which file types are scanned) that you set in Threat Protection settings.

  6. Allow time for all your computers to run a scheduled scan.

  7. Go to the Reports > Logs > Events page.
  8. In the list of event types, clear all the checkboxes except Application Control. Detected applications are now shown in the list of events. Make a note of any you want to continue using.
  9. Return to your policy page.
  10. In the Controlled Applications list, click Add/Edit List again. Then do as follows:

    1. Find the applications you want to use and clear the checkbox next to them. All other applications in the list are now controlled applications.
    2. Select New applications added to this category by Sophos (optional). Any new applications that Sophos adds to this category later will automatically be added to your controlled list. Newer versions of applications already in your list will also be added.


      Only select this if you're sure you want to control applications in this category from now on.

    3. Click Save to List.

  11. In Detection Options:

    1. Turn on Detect controlled applications when users access them.

    2. Select Block the detected application.

      The controlled applications in your list are now blocked. If you chose to control any new applications added by Sophos, those new applications will now be blocked too.


      When you turn on blocking, we won't log users trying to access controlled applications. Logging is only available with Allow the detected application, which is for monitoring purposes only.

  12. In Desktop Messaging you can add a message to the standard notification. If you leave the message box empty only the standard message is shown.

    Desktop messaging is on by default.


    If you switch off desktop messaging you will not see any notification messages related to Application Control.

    1. Click in the message box and enter the text you want to add.

For more information about Application Control and the latest applications we add to the Controlled Application list, see Application Control.