Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 11 subscribers
  • Views 50764 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting Error After New Update (Sophos~1.DLL)

Sophos User1282

Hello everyone, 

Today we started receiving errors on a couple of our windows machines, particularly the ones with Windows 7 Installed. 

The error states 

Window Title > LogonUI.exe Bad Image

Message > C:\Windows\system32\SophosAV\SOPHOS~1.DLL\ is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

I had an issue were the Sophos UI was all broken on these machines therefore I had to use cmd for Anti Tamper deactivation. 

The error persists even after reinstalling Sophos, also the installer has been downloaded straight from Sophos Central. 

Any help would be appreciated. 

Thanks!



This thread was automatically locked due to age.
  • 0

    Hello,

    The timing and behavior of this issue seems to line up with a KB article Sophos released today.

    Although the error messages and files aren't the same it may be worth checking those Microsoft KBs are installed on W7 machines and that this is not the cause.

  • 0

    Same issue on Server 2008 R2 (without sp1) Central Endpoints on Sophos Core Agent 2.8.2 BETA when logging in or opening any file or program.  Also had this boot failure last month: https://community.sophos.com/products/endpoint-security-control/f/sophos-endpoint-software/88667/boot-failure---sophosed-sys-corrupted The Microsoft kb update files give the notice "the update is not applicable to your computer" though correct os version + cpu are selected.  sp1 results will be looked into.

     

     

    EDIT: confirmed uninstalling sophos, installing SP1 for 2008 R2 and latest windows updates, reinstalling sophos resolves the problem.

  • 0

    I have exactly the same issue in all PCs (70 PCs) same error when we try to open any application

  • +1 in reply to Khaled Maged

    Does installing the Microsoft patches help? KBs 4474419 and 4490628.

    If the referenced DLL is just the issue, there are a few ways to prevent them loading. They are loaded into processes as they start based on the keys:

    Native processes, i.e. 64 on 64-bit or 32-bit on 32-bit:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\system32\\SophosAV\\SOPHOS~1.DLL"
    "LoadAppInit_DLLs"=dword:00000001

    32-bit on 64-bit:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\SysWOW64\\SophosAV\\SOPHOS~1.DLL"
    "LoadAppInit_DLLs"=dword:00000001

    The paths are 8.3 and they are essentially here:

    • Native - C:\Windows\System32\SophosAV\sophos_detoured_x64.dll
    • 32-bit on 64 - C:\Windows\SysWOW64\SophosAV\sophos_detoured.dll

    The LoadAppInit_DLLs DWORD has to be 1 for this technology to work.  The Sophos installer does set it if it updates but if you set 

    "LoadAppInit_DLLs"=dword:00000001 to 0 for each, then the DLLs referenced in the  AppInit_DLLs key will not get loaded.

    Of course you could equally remove the Sophos paths in the keys.  This would be the case if there were other AppInit DLLs in use.

    The Sohos installer also has a key, according to

    https://community.sophos.com/products/sophos-central/f/general/102069/not-able-to-install-sophos-endpoint-after-uninstall

    64-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    32-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    This will prevent the installer from adding the AppInit DLLs.

    Of course, some of these will be protected by Tamper Protection but it might give you some options if you fully understand how it becomes to be loaded and installed.

    The DLL is really only used now for Data Control.

    Regards,

    Jak

  • 0 in reply to jak

    Updating this thread. Please view the following KBA:

  • 0

    +1

     

    Windows 7 clients effected.

     

    How to resolve this issue?

  • +1 in reply to Can carmack

    Hi  

    Please follow the steps mentioned in the KB article and install windows KBs 4474419 and 4490628

  • 0 in reply to jak

    Thanks for detailed information.


    there is two of same update for same os.
    which ones has to be installed?


    kb4474419
    2019-08 Security Update for Windows 7 for x64-based Systems (KB4474419) Windows 7 Security Updates 8/12/2019
    2019-09 Security Update for Windows 7 for x64-based Systems (KB4474419) Windows 7 Security Updates 9/9/2019

    kb4490628
    2019-03 Servicing Stack Update for Windows 7 for x64-based Systems (KB4490628) Windows 7 Security Updates 3/10/2019
    2019-03 Servicing Stack Update for Windows 7 for x64-based Systems (KB4490628) Windows 7 Security Updates 3/11/2019