Zitat von mpachmann am 5. Mai 2025, 17:41 Uhr

https://community.sophos.com/intercept-x-endpoint/f/discussions/145784/sophos-central-application-control-policy-does-not-verify-user

Here are the results of testing:

1. Logged onto windows as a standard user, idle: Sophos periodically blocks Powershell
2. Logged onto windows as a standard user, run Powershell as standard user: Sophos blocks it
3. Logged onto windows as a standard user, run Powershell as excepted user (using runas or run as administrator): Sophos blocks it
4. Logged onto windows as an excepted user, idle: No notification of Sophos blocking Powershell
5. Logged onto windows as an excepted user, run Powershell as excepted user: Sophos allows it
6. Logged onto windows as an excepted user, run Powershell as standard user (using runas): Sophos allows it

 

Only one policy is applied at a time, be it device or user. If user1 is logged on, it requires a status to be sent to Central to inform central that user1 is logged on, and it will send a policy for that user.  If user 2 logs on, a status will be sent to Central and it will send down a policy for that user.  There is no client side caching of policy for user so it is reliant on connectivity when switching users and the timely render of policy by Central. You can see a trail of incoming and outcoming messages in C:\ProgramData\Sophos\Management Communications System\Endpoint\Trail\