Detecting and Blocking File Transfer Applications

Modified on Tue, 30 Sep at 3:37 PM

File transfer applications (such as FTP, SFTP servers, tnftp, FileZilla, etc.) can pose security and compliance risks if installed on enterprise endpoints without authorization. These applications may allow unauthorized movement of sensitive data outside the organization.

The Saner CVEM platform helps administrators detect, analyze, and block unauthorized file transfer applications across devices.

1. Detecting File Transfer Applications

Saner CVEM continuously monitors endpoints and generates Posture Anomalies when file transfer applications are found.

Steps to Detect:


Navigate to Posture Anomaly (PA) Dashboard.

  1. Locate the anomaly PA-2022-1061 – File Transfer Apps are installed.
    This rule triggers whenever a known file transfer application is detected.
  2. Review the Summary Section:
    • OS family with the most anomalies (e.g., Unix).
    • Group with the most anomalies (e.g., Ubuntu).
    • Operating System version with the highest anomalies (e.g., Ubuntu 24.04).
  3. Drill down into Posture Anomaly by Device:
    • Lists affected hostnames, OS families, and anomaly counts.
  4. Check Posture Anomaly by Incidence:
    • Shows the specific application name, publisher, and number of devices impacted.
    • Example:
      • ftp (Ubuntu Developers) – 2 devices
      • openssh-sftp-server (Ubuntu Developers) – 2 devices
      • tnftp (Ubuntu Developers) – 2 devices
      • FileZilla 3.69.3 (Tim Kosse) – 1 device
  5. Visual dashboards (by Group, Family, OS) provide quick insight into distribution.

2. Investigating the Risk
Once identified:

  • Check device groups (e.g., Ubuntu servers, Windows workstations).
  • Verify if the installation was intentional (e.g., for development/testing) or unauthorized.
  • Correlate with user activity and business use cases before blocking.


3.Blocking File Transfer Applications

Saner CVEM provides a direct Application and Device Control option for handling detected anomalies.

Steps to Block:

  1. Select Fix, and go to Detected Anomalies Action panel,
    • Application and Device Control
    • Or choose Software Deployment (for uninstall).
  2. Under Possible Actions, click Application Block to restrict execution of the detected file transfer app.
  3. To allow again (for approved apps), use Application Unblock.




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article