Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 14242 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos SysTray Icon saying Sophos is deactivated when in fact it's not

baedamichi

Hi,

just a minor issue, which is just cosmetic I guess...

On my computer (standalone installation of version 10.3.12.89 which I get from my school who pays for the corporate license), Windows 8.1 Pro, the SysTray Icon often (not always) keeps telling me that Sophos is deactivated (see attached screenshot), when in fact it is not (settings of on-acces scan is "on", Windows Security Center reports that Sophos is active, Sophos itself on entering the "main screen" of the program tells me it's active, and I get the appropriate alerts when accessing files or websites Sophos considers to be malicious).

This only happens on my Windows 8.1 machine (x64), other machines running various kinds of Windows 7 (Home, Pro, Ultimate, both x32 and x64) do not have this issue.

Any clues?

Thanks a bunch for reading my lines. :)

:55228


This thread was automatically locked due to age.
Parents
  • 0

    Sorry for getting back to you only now, I was away for a couple of days.

    A happy new year to you by the way!

    Actually, I have tried logging in as a different user two months ago, as (for other reasons than Sophos) I did a clean reinstall in November last year (which would have created a new user profile from scratch), and I had the problem before that reinstall and now I still have it.

    Things which might be different on our computers which come to mind are:

    - I use a German version of Windows 8.1

    - Since I use the OEM version of Windows 8.1 which came with my computer, even a "clean" reinstall means installing Windows 8 first, then upgrading to Windows 8.1

    - I use a Microsoft account to log in, though that can't be the problem, as before the reinstall I used a local account and had the same problem.

    I tried restarting both

    • Sophos Anti-Virus Service
    • Sophos Autoupdate Service

    and it didn't change anything about what the trayicon said. In fact, I tried restarting every service of Sophos I could find in the services.msc, nothing changed the systray icon, only restarting AlMon.exe does.

    I did try what you suggested and had a look at Almon.exe with Process Explorer, the resulting files are attached. Upon comparing them with Notepad++ and the Compare Plugin, I found that the working version has three additional things running which I cannot find running in the missing version:

    config.dll    Sophos AutoUpdate configuration manager    Sophos Limited    C:\Program Files (x86)\Sophos\AutoUpdate\config.dll

    dllhost.exe        1.524 K    5.656 K    5340    COM Surrogate    Microsoft Corporation

    audiodg.exe        6.008 K    8.988 K    7004    Windows Graphisolierung für Audiogeräte     Microsoft Corporation

    Now, I can't even remotely figure out why the TrayIcon would have audiodg, maybe to alert me with a sound when a virus/malware is found? Or maybe Process Explorer just dumps all running things and not only for the selected process. :)

    Anyway, the not working version of Almon.exe (i.e. the version claiming that Sophos is deactivated) has the three things just mentioned missing, but also a few additional things the working version does not have:

    actxprxy.dll    ActiveX Interface Marshaling Library    Microsoft Corporation    C:\Windows\SysWOW64\actxprxy.dll

    msxml6.dll    MSXML 6.0    Microsoft Corporation    C:\Windows\SysWOW64\msxml6.dll

    msxml6r.dll    XML Resources    Microsoft Corporation    C:\Windows\SysWOW64\msxml6r.dll

    Now, from my point of view, it seems that the config.dll somehow gets unloaded, I jut wonder how to find out how and why.

    I had a look at the file in C:\Program Files (x86)\Sophos\AutoUpdate\config.dll, permissions seem to be fine (full control for SYSTEM and Administrators, read access for Users), the certificate is also valid.

    Just on a side note, when looking at the permissions of various Sophos processes with Process Explorer, I often see unknown users in the ACLs (for example a user S-1-5-5-0-106062 for Almon.exe, or S-1-5-5-0-2738596 for SavService.exe), is that intentional or is there a problem with that? Although I couldn't figure out why there would be a problem, like I said, it's a clean reinstall, since November I have never added or removed users, I my computer is not jointly used...

    Still puzzled by this. :)

    Regards,

    Peter

    :55266
Reply
  • 0

    Sorry for getting back to you only now, I was away for a couple of days.

    A happy new year to you by the way!

    Actually, I have tried logging in as a different user two months ago, as (for other reasons than Sophos) I did a clean reinstall in November last year (which would have created a new user profile from scratch), and I had the problem before that reinstall and now I still have it.

    Things which might be different on our computers which come to mind are:

    - I use a German version of Windows 8.1

    - Since I use the OEM version of Windows 8.1 which came with my computer, even a "clean" reinstall means installing Windows 8 first, then upgrading to Windows 8.1

    - I use a Microsoft account to log in, though that can't be the problem, as before the reinstall I used a local account and had the same problem.

    I tried restarting both

    • Sophos Anti-Virus Service
    • Sophos Autoupdate Service

    and it didn't change anything about what the trayicon said. In fact, I tried restarting every service of Sophos I could find in the services.msc, nothing changed the systray icon, only restarting AlMon.exe does.

    I did try what you suggested and had a look at Almon.exe with Process Explorer, the resulting files are attached. Upon comparing them with Notepad++ and the Compare Plugin, I found that the working version has three additional things running which I cannot find running in the missing version:

    config.dll    Sophos AutoUpdate configuration manager    Sophos Limited    C:\Program Files (x86)\Sophos\AutoUpdate\config.dll

    dllhost.exe        1.524 K    5.656 K    5340    COM Surrogate    Microsoft Corporation

    audiodg.exe        6.008 K    8.988 K    7004    Windows Graphisolierung für Audiogeräte     Microsoft Corporation

    Now, I can't even remotely figure out why the TrayIcon would have audiodg, maybe to alert me with a sound when a virus/malware is found? Or maybe Process Explorer just dumps all running things and not only for the selected process. :)

    Anyway, the not working version of Almon.exe (i.e. the version claiming that Sophos is deactivated) has the three things just mentioned missing, but also a few additional things the working version does not have:

    actxprxy.dll    ActiveX Interface Marshaling Library    Microsoft Corporation    C:\Windows\SysWOW64\actxprxy.dll

    msxml6.dll    MSXML 6.0    Microsoft Corporation    C:\Windows\SysWOW64\msxml6.dll

    msxml6r.dll    XML Resources    Microsoft Corporation    C:\Windows\SysWOW64\msxml6r.dll

    Now, from my point of view, it seems that the config.dll somehow gets unloaded, I jut wonder how to find out how and why.

    I had a look at the file in C:\Program Files (x86)\Sophos\AutoUpdate\config.dll, permissions seem to be fine (full control for SYSTEM and Administrators, read access for Users), the certificate is also valid.

    Just on a side note, when looking at the permissions of various Sophos processes with Process Explorer, I often see unknown users in the ACLs (for example a user S-1-5-5-0-106062 for Almon.exe, or S-1-5-5-0-2738596 for SavService.exe), is that intentional or is there a problem with that? Although I couldn't figure out why there would be a problem, like I said, it's a clean reinstall, since November I have never added or removed users, I my computer is not jointly used...

    Still puzzled by this. :)

    Regards,

    Peter

    :55266
Children
No Data