Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 4436 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Re-enable ASLR on 64-bit machines with sophos installed

horihel

As probably many other people also read in the news, the force-injection of the sophos_detoured.dll into all programs effectively disables ASLR on 64-bit platforms.

So how do I prevent Sophos from force-loading this DLL, as it is (AFAIK) unneccessary on 64-bit systems anyway. Can I just remove it from AppInit or will it come back on the next definition update?

:35107


This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    Detours perfoms more than one role: http://www.sophos.com/en-us/support/knowledgebase/112099.aspx so it depends on what other roles it is performing for you.

    One way to disable it would be to disable any detours being loaded on the computer if you don't need them.

    This can be done under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

    and if on a 64-bit machine, also consider:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\

    for 32-bit processes on 64-bit computers.

    There is a value called: LoadAppInit_DLLs, if you set this to 0, you can stop any detours loading into either 32-bit or 64-bit processes, so you need to change both on a 64-bit computer.  You can see the list of detours dlls that will not be loaded if you change this in the AppInit_DLLs in the same locations.

    As new processes are launched the dlls will then not be loaded into them.

    Regards 

    Jak

    :35113
Reply
  • 0

    Hi,

    Detours perfoms more than one role: http://www.sophos.com/en-us/support/knowledgebase/112099.aspx so it depends on what other roles it is performing for you.

    One way to disable it would be to disable any detours being loaded on the computer if you don't need them.

    This can be done under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\

    and if on a 64-bit machine, also consider:

    HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\

    for 32-bit processes on 64-bit computers.

    There is a value called: LoadAppInit_DLLs, if you set this to 0, you can stop any detours loading into either 32-bit or 64-bit processes, so you need to change both on a 64-bit computer.  You can see the list of detours dlls that will not be loaded if you change this in the AppInit_DLLs in the same locations.

    As new processes are launched the dlls will then not be loaded into them.

    Regards 

    Jak

    :35113
Children
No Data