This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EventID 5038 in Server 2016/2019 with Intercept X Advanced for Server with XDR

Hello Community,

we have several WIndows Server 2016/2019. They have installed Sophos Intercept X Advanced for Server with XDR. After a reboot occurs the eventID 5038. 

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
File Name:  \Device\HarddiskVolume4\Windows\System32\drivers\SophosED.sys

A reinstallation did not solve the problem. Could you give me some tips on how to solve it?



This thread was automatically locked due to age.
Parents
  • Hi Steffan,


    Thank you for reaching us. Upon checking with this event ID, we see the same scenario for our SophosAmsiProvider.dll described in this article. It's been mentioned that the said file is signed by Sophos but isn't co-signed by Microsoft, which is expected behavior, and the windows event can be ignored. Also, based on this MS documentation, the recommendation for the said Event ID was to Monitor. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Reply
  • Hi Steffan,


    Thank you for reaching us. Upon checking with this event ID, we see the same scenario for our SophosAmsiProvider.dll described in this article. It's been mentioned that the said file is signed by Sophos but isn't co-signed by Microsoft, which is expected behavior, and the windows event can be ignored. Also, based on this MS documentation, the recommendation for the said Event ID was to Monitor. 

    Glenn ArchieSeñas (GlennSen)
    Global Community Support Engineer

    The New Home of Sophos Support Videos!  Visit Sophos Techvids
Children
No Data