Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 14240 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SysTray Icon saying Sophos is deactivated when in fact it's not

baedamichi

Hi,

just a minor issue, which is just cosmetic I guess...

On my computer (standalone installation of version 10.3.12.89 which I get from my school who pays for the corporate license), Windows 8.1 Pro, the SysTray Icon often (not always) keeps telling me that Sophos is deactivated (see attached screenshot), when in fact it is not (settings of on-acces scan is "on", Windows Security Center reports that Sophos is active, Sophos itself on entering the "main screen" of the program tells me it's active, and I get the appropriate alerts when accessing files or websites Sophos considers to be malicious).

This only happens on my Windows 8.1 machine (x64), other machines running various kinds of Windows 7 (Home, Pro, Ultimate, both x32 and x64) do not have this issue.

Any clues?

Thanks a bunch for reading my lines. :)

:55228


This thread was automatically locked due to age.
  • 0

    Hi,

    Does anything change if you:

    Kill almon.exe in Task Manager.

    Then run:

    dcomcnfg

    Expand "DCOM Config"

    selecting the properties of the iMonitor entry and choosing from the identity tab - "The lauching user" (instead of the interactive user).

    Then re-launch almon.exe

    C:\program files (x86)\sophos\autoupdate\almon.exe

    Any different?

    Regards,

    Jak

    :55243
  • 0
    jak wrote:

    Any different?

    Thanks for your reply!

    Unfortunately no, shortly after restarting almon.exe (after changes in DCOM config, as described by you), the systray icon indeed says Sophos is active, but this doesn't last long, especially after a restart of my computer it's back to "deactivated".

    I'm wondering, do you think it might be a good idea to have almon.exe started as NT-Authority\System user? Uups, edit, just noticed I don't even have this option, it's greyed out as almon.exe is not a service. :'(

    :55249
  • 0

    Yeah almon.exe is launched from the "run" registry key so it starts in the context of the logged on users.  

    If you have multiple users on a computer logged in concurrently then you would have multile almon.exe processes.

    Have you tried logging in as a different user account to see if it's a profile problem?  I don't see this being the case but maybe worth a go.

    So if you restart almon.exe (kill/launch) it's fine.  What happens to "break it"?  Does a restart of the sophos services cause it to revert, if so which ones?

    • Sophos Anti-Virus Service
    • Sophos Autoupdate Service

    Both of the above play a part in this status.

    Could also run Process Explorer (Sysinternals) and check that the same list of modules are loaded when it works an when it fails.

    It's an odd one for sure.  I have a WIn 8.1 client and it's fine.

    Regards,

    Jak

    :55250
  • 0

    Sorry for getting back to you only now, I was away for a couple of days.

    A happy new year to you by the way!

    Actually, I have tried logging in as a different user two months ago, as (for other reasons than Sophos) I did a clean reinstall in November last year (which would have created a new user profile from scratch), and I had the problem before that reinstall and now I still have it.

    Things which might be different on our computers which come to mind are:

    - I use a German version of Windows 8.1

    - Since I use the OEM version of Windows 8.1 which came with my computer, even a "clean" reinstall means installing Windows 8 first, then upgrading to Windows 8.1

    - I use a Microsoft account to log in, though that can't be the problem, as before the reinstall I used a local account and had the same problem.

    I tried restarting both

    • Sophos Anti-Virus Service
    • Sophos Autoupdate Service

    and it didn't change anything about what the trayicon said. In fact, I tried restarting every service of Sophos I could find in the services.msc, nothing changed the systray icon, only restarting AlMon.exe does.

    I did try what you suggested and had a look at Almon.exe with Process Explorer, the resulting files are attached. Upon comparing them with Notepad++ and the Compare Plugin, I found that the working version has three additional things running which I cannot find running in the missing version:

    config.dll    Sophos AutoUpdate configuration manager    Sophos Limited    C:\Program Files (x86)\Sophos\AutoUpdate\config.dll

    dllhost.exe        1.524 K    5.656 K    5340    COM Surrogate    Microsoft Corporation

    audiodg.exe        6.008 K    8.988 K    7004    Windows Graphisolierung für Audiogeräte     Microsoft Corporation

    Now, I can't even remotely figure out why the TrayIcon would have audiodg, maybe to alert me with a sound when a virus/malware is found? Or maybe Process Explorer just dumps all running things and not only for the selected process. :)

    Anyway, the not working version of Almon.exe (i.e. the version claiming that Sophos is deactivated) has the three things just mentioned missing, but also a few additional things the working version does not have:

    actxprxy.dll    ActiveX Interface Marshaling Library    Microsoft Corporation    C:\Windows\SysWOW64\actxprxy.dll

    msxml6.dll    MSXML 6.0    Microsoft Corporation    C:\Windows\SysWOW64\msxml6.dll

    msxml6r.dll    XML Resources    Microsoft Corporation    C:\Windows\SysWOW64\msxml6r.dll

    Now, from my point of view, it seems that the config.dll somehow gets unloaded, I jut wonder how to find out how and why.

    I had a look at the file in C:\Program Files (x86)\Sophos\AutoUpdate\config.dll, permissions seem to be fine (full control for SYSTEM and Administrators, read access for Users), the certificate is also valid.

    Just on a side note, when looking at the permissions of various Sophos processes with Process Explorer, I often see unknown users in the ACLs (for example a user S-1-5-5-0-106062 for Almon.exe, or S-1-5-5-0-2738596 for SavService.exe), is that intentional or is there a problem with that? Although I couldn't figure out why there would be a problem, like I said, it's a clean reinstall, since November I have never added or removed users, I my computer is not jointly used...

    Still puzzled by this. :)

    Regards,

    Peter

    :55266
  • 0

    Hm, I think I *might* have found a solution to the problem, somehow it seems to be related to a problem of the systray of Windows itself.

    Yesterday, I was fixing another systray problem which had been buggering me for quite some weeks (volume control button kept disappearing), I used the following batch file:

    @echo off

:: Notification Area Cleaner
:: Created by Hally Master hally_master (at) yahoo (dot) com
:: Distributed by www.7tutorials.com
:: WARNING! This utility restarts your shell (Explorer.exe) and clears your notification area icon cache

reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" /v IconStreams /f
reg delete "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify" /v PastIconsStream /f
taskkill /im explorer.exe /f
start explorer.exe
exit

     I have put this batch into my autostart folder in the start menu, so it gets executed every time I log on.

    Today, Sophos has been reporting "Protected by Sophos" in the systray all day long, and that has now been 8 hours straight.

    Maybe it was completely unrelated and fixed by a Sophos update, but maybe that icon stream thing was at the heart of the issue.

    I'll be reporting here in a few days to write down here whether the "fix" will have proven to be a stable and lasting one.

    :55359