Hi Team,
Some of the users have started to complain about the error after system restarting they are getting (C:\Windows\System32\SophosED\SophosED.dll is either not designed to run on windows 10 22H2).
I am attaching the screenshot for more info.
Hi Parag Shukla ,
Thank you for reaching out to the Sophos Community forum.
Would you know if there's a specific action that's taking place when users get this error message? Is it while launching or running a certain application?
If you haven't already, please also take a look at the System and Components tabs on the Endpoint Self Help tool to make sure there are no pending reboots or issues with the installed components.
If these are all clear, kindly share the sed.log (C:\ProgramData\Sophos\Endpoint Defense\Logs) from the affected device.
Hi
I have got the bellow update from the end-user, However i will get more info and sharing with you.
Recently, the "Bad-image" box appear when the computer is turned on, and frequently when the computer is in use. It occurs mainly when booting up the computer, opening outlook and Internet Explorer.
Can you confirm that the Windows Updates on this device are fully up to date?
Yes it is running with below cumulative updates.
| 2024-02 Cumulative Update for Windows 10 Version 22H2 for x64-based Systems (KB5034763) | Installed | 3/2/2024, 11:08:42 AM | Windows 10, version 1903 and later |
| 2024-02 Cumulative Update for .NET Framework 3.5, 4.8 and 4.8.1 for Windows 10 Version 22H2 for x64 (KB5034685) | Installed | 3/2/2024, 11:08:42 AM | Windows 10, version 1903 and later |
I have checked in System and Components tabs on the Endpoint Self Help tool to and there is no pending reboots or issues with the installed components.
I have collected SED logs from the (C:\ProgramData\Sophos\Endpoint Defense\Logs) from the device. But don't know how to attach here SED logs or are you using ant URL for sharing a logs?
Hi Parag Shukla ,
You can copy and paste the logs here. If you're unable to do so, I have also sent you a private message and you can reply there.
Hi Gladys,
Please see below lines of SED logs.
2024-03-04T08:39:12.182Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 2748 PID: 13136 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 4 System 2024-03-04T08:39:14.858Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x101410 to 0x101400 for protected process PID: 4364 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SOPHOSUPDATE.EXE by process PID: 8580 \DEVICE\HARDDISKVOLUME3\WINDOWS\CCM\CCMEXEC.EXE 2024-03-04T08:39:15.069Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 8964 PID: 4364 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SOPHOSUPDATE.EXE by process PID: 4 System 2024-03-04T08:39:15.069Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 8964 PID: 4364 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SOPHOSUPDATE.EXE by process PID: 4 System 2024-03-04T08:39:32.485Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x101410 to 0x101400 for protected process PID: 13936 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 8580 \DEVICE\HARDDISKVOLUME3\WINDOWS\CCM\CCMEXEC.EXE 2024-03-04T08:39:32.527Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10D400 for protected process PID: 13936 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 11100 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\CONHOST.EXE 2024-03-04T08:39:53.579Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 4364 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SOPHOSUPDATE.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 139 Blocked: Duplicate process handle access changed from 0x1FFFBC to 0x10D400 for protected process PID: 4484 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSAGENT.EXE by process PID: 832 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SERVICES.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 139 Blocked: Duplicate process handle access changed from 0x1FFFBC to 0x10D400 for protected process PID: 2408 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SEDSERVICE.EXE by process PID: 832 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SERVICES.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 136 Blocked: Duplicate process handle access changed from 0x1FFFBC to 0x10D400 for protected process PID: 4508 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS NETWORK THREAT PROTECTION\SOPHOSNTPSERVICE.EXE by process PID: 832 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SERVICES.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 139 Blocked: Duplicate process handle access changed from 0x1FFFBC to 0x10D400 for protected process PID: 2880 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\HITMANPRO.ALERT\HMPALERT.EXE by process PID: 832 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SERVICES.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 38 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 4476 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSLIVEQUERYSERVICE.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 38 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 4484 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSAGENT.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 38 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 4500 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFS.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 38 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 4508 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS NETWORK THREAT PROTECTION\SOPHOSNTPSERVICE.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 38 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 4556 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\HEALTH\SOPHOSHEALTH.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 38 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 38 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 7304 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS NETWORK THREAT PROTECTION\SOPHOSNETFILTER.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:40:06.555Z SED Obj Info Count: 3 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 9404 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:40:06.555Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 2744 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:40:06.555Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 3168 PID: 13640 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SOPHOSUPDATE.EXE by process PID: 4 System 2024-03-04T08:40:06.555Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 9480 PID: 15148 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 4 System 2024-03-04T08:40:06.555Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 12484 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:42:06.561Z SED Obj Info Count: 135 Blocked: Duplicate process handle access changed from 0x1FFFBC to 0x10D400 for protected process PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 832 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SERVICES.EXE 2024-03-04T08:42:06.561Z SED Obj Info Count: 135 Blocked: Duplicate process handle access changed from 0x1FFFBC to 0x10D400 for protected process PID: 4576 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSCLIENT.EXE by process PID: 832 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SERVICES.EXE 2024-03-04T08:42:06.561Z SED Obj Info Count: 135 Blocked: Duplicate process handle access changed from 0x1FFFBC to 0x10D400 for protected process PID: 4476 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSLIVEQUERYSERVICE.EXE by process PID: 832 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SERVICES.EXE 2024-03-04T08:42:06.561Z SED Obj Info Count: 135 Blocked: Duplicate process handle access changed from 0x1FFFBC to 0x10D400 for protected process PID: 4556 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\HEALTH\SOPHOSHEALTH.EXE by process PID: 832 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SERVICES.EXE 2024-03-04T08:42:06.561Z SED Obj Info Count: 135 Blocked: Duplicate process handle access changed from 0x1FFFBC to 0x10D400 for protected process PID: 4500 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFS.EXE by process PID: 832 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SERVICES.EXE 2024-03-04T08:42:16.577Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 8128 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:42:16.577Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 8128 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:43:06.571Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 7112 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T08:44:09.329Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 16260 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:44:09.329Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 16260 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:44:10.396Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 5784 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:44:10.396Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 5784 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:44:53.683Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 8124 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T08:44:53.683Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 8124 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T08:44:58.849Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15524 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:44:58.849Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 15524 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:45:06.586Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 6844 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T08:45:06.586Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 9808 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:45:06.586Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 460 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:45:06.586Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 14104 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:47:06.600Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 5764 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:48:06.607Z SED Obj Info Count: 37 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 5948 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:48:06.607Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15988 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:48:41.120Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15124 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:48:41.120Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 15124 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:49:09.323Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 7732 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:49:09.323Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 7732 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:49:10.401Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 7652 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:49:10.401Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 7652 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:50:06.628Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 14280 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:50:06.628Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 13068 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:50:06.628Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 3272 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:50:55.943Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 9992 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:50:55.943Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 9992 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:52:06.625Z SED Obj Info Count: 36 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T08:52:06.625Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 1136 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:52:52.145Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 14688 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T08:52:52.145Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 14688 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T08:53:06.617Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 6236 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:54:09.294Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15476 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:54:09.294Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 15476 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:54:10.384Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15528 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:54:10.384Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 15528 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:55:02.389Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 9560 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:55:02.389Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 9560 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:55:06.629Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15548 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:55:06.629Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 6360 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:55:06.629Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 3600 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:56:06.629Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 16148 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 5948 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 11412 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS UI\SOPHOS UI.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 7304 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS NETWORK THREAT PROTECTION\SOPHOSNETFILTER.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 4576 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSCLIENT.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 4556 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\HEALTH\SOPHOSHEALTH.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 4508 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS NETWORK THREAT PROTECTION\SOPHOSNTPSERVICE.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 4500 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFS.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 4484 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSAGENT.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 4476 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSLIVEQUERYSERVICE.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:06.629Z SED Obj Info Count: 5 Blocked: Create process handle access changed from 0x1410 to 0x1400 for protected process PID: 2880 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\HITMANPRO.ALERT\HMPALERT.EXE by process PID: 6120 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE 2024-03-04T08:56:07.738Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 2392 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:56:07.738Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 2392 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:57:06.627Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 2436 PID: 2880 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\HITMANPRO.ALERT\HMPALERT.EXE by process PID: 4 System 2024-03-04T08:59:06.635Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15564 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:59:09.276Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 8380 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:59:09.276Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 8380 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T08:59:10.373Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15740 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:59:10.373Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 15740 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:59:14.679Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 1912 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T08:59:14.679Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 1912 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:00:06.645Z SED Obj Info Count: 3 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15108 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:00:06.645Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 8480 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:00:34.583Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 5808 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:00:34.583Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 5808 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:01:06.659Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15772 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:02:01.629Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 16148 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:02:01.629Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 16148 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:02:06.654Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 11964 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:03:09.633Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 6292 PID: 4484 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSAGENT.EXE by process PID: 4 System 2024-03-04T09:03:09.633Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 6292 PID: 4484 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSAGENT.EXE by process PID: 4 System 2024-03-04T09:04:09.264Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 14556 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:04:09.264Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 14556 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:04:10.362Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 6048 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:04:10.362Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 6048 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:04:27.784Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 16140 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:04:27.784Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 16140 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:04:47.350Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 4036 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:04:47.350Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 4036 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:05:06.671Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 14072 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:05:06.671Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 6744 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:05:06.671Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10300 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:06:09.621Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 7856 PID: 4484 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSAGENT.EXE by process PID: 4 System 2024-03-04T09:06:09.621Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 7856 PID: 4484 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSAGENT.EXE by process PID: 4 System 2024-03-04T09:06:54.649Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10176 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:06:54.649Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 10176 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:08:30.066Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10116 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:08:30.066Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 10116 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:09:09.241Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 9208 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:09:09.241Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 9208 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:09:10.362Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 9420 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:09:10.363Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 9420 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:09:48.234Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 12276 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:09:48.234Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 12276 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:10:06.673Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15884 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:10:06.673Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10116 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:10:06.673Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 8620 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:11:06.677Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 568 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:13:06.693Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 8268 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:14:09.234Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 5220 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:14:09.234Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 5220 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:14:10.361Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 11340 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:14:10.361Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 11340 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:14:53.606Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10348 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:14:53.606Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 10348 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:15:05.030Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10192 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:15:05.030Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 10192 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:15:06.704Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 3132 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:15:06.704Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15656 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:15:06.704Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10532 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:15:06.704Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 16128 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:18:06.733Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 9404 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:19:08.627Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15460 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:19:08.627Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 15460 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:19:08.634Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 4352 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:19:08.635Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 4352 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:19:09.227Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 7256 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:19:09.227Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 7256 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:20:06.761Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 2784 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:20:06.761Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10908 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:20:06.761Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 15108 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:20:56.975Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10532 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:20:56.975Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 10532 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:21:51.296Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15448 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:21:51.296Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 15448 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:24:06.424Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 16272 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:24:06.424Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 16272 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:24:06.801Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 256 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:24:09.226Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 3096 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:24:09.226Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 3096 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:24:35.294Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 2252 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:24:35.294Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 2252 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:25:06.807Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10228 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:25:06.807Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 1976 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:25:06.807Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10908 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:27:06.830Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15428 PID: 4484 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSAGENT.EXE by process PID: 4 System 2024-03-04T09:29:09.221Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 11008 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:29:09.221Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 11008 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:29:10.365Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 14712 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:29:10.365Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 14712 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:29:52.099Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 13784 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:29:52.099Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 13784 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:30:06.857Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 5740 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:30:06.857Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10180 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:30:06.857Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 940 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:31:10.998Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 11628 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:31:10.998Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 11628 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:32:06.891Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 9800 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:32:10.684Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 14968 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:32:10.684Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 14968 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:34:09.228Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 9888 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:34:09.228Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 9888 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:34:10.375Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 10628 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:34:10.375Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 10628 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:34:34.965Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 3952 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:34:34.965Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 3952 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:34:55.137Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 7916 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:34:55.137Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 7916 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:35:06.919Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 9736 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:35:06.919Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 13748 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:35:06.919Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 1176 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:36:06.934Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 5240 PID: 4484 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES (X86)\SOPHOS\MANAGEMENT COMMUNICATIONS SYSTEM\ENDPOINT\MCSAGENT.EXE by process PID: 4 System 2024-03-04T09:39:06.971Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 6156 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:39:09.213Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 13776 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:39:09.213Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 13776 PID: 4564 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\ENDPOINT DEFENSE\SSPSERVICE.EXE by process PID: 4 System 2024-03-04T09:39:10.384Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 12008 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:39:10.384Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 12008 PID: 5156 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\LIVE QUERY\SOPHOSOSQUERY.EXE by process PID: 4 System 2024-03-04T09:39:12.553Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x101410 to 0x101400 for protected process PID: 15932 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\AUTOUPDATE\SOPHOSLAUNCHUPDATE.EXE by process PID: 8580 \DEVICE\HARDDISKVOLUME3\WINDOWS\CCM\CCMEXEC.EXE 2024-03-04T09:39:12.666Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x101410 to 0x101400 for protected process PID: 9988 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 8580 \DEVICE\HARDDISKVOLUME3\WINDOWS\CCM\CCMEXEC.EXE 2024-03-04T09:39:12.700Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10D400 for protected process PID: 9988 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 12576 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\CONHOST.EXE 2024-03-04T09:39:12.826Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 15952 PID: 9988 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 4 System 2024-03-04T09:39:12.826Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 15952 PID: 9988 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 4 System 2024-03-04T09:39:14.985Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x101410 to 0x101400 for protected process PID: 10236 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SOPHOSUPDATE.EXE by process PID: 8580 \DEVICE\HARDDISKVOLUME3\WINDOWS\CCM\CCMEXEC.EXE 2024-03-04T09:39:15.050Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x3000 to 0x1000 for protected process PID: 10236 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SOPHOSUPDATE.EXE by process PID: 2036 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\SVCHOST.EXE 2024-03-04T09:39:15.171Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 11856 PID: 10236 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SOPHOSUPDATE.EXE by process PID: 4 System 2024-03-04T09:39:15.171Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 11856 PID: 10236 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SOPHOSUPDATE.EXE by process PID: 4 System 2024-03-04T09:39:31.445Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x840 to 0x800 for protected process TID: 6672 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:39:31.445Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10E804 for protected process TID: 6672 PID: 13756 \DEVICE\HARDDISKVOLUME3\PROGRAM FILES\SOPHOS\SOPHOS FILE SCANNER\SOPHOSFILESCANNER.EXE by process PID: 4 System 2024-03-04T09:39:40.641Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x101410 to 0x101400 for protected process PID: 16000 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-SETUP64.EXE by process PID: 8580 \DEVICE\HARDDISKVOLUME3\WINDOWS\CCM\CCMEXEC.EXE 2024-03-04T09:39:40.668Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10D400 for protected process PID: 16000 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-SETUP64.EXE by process PID: 13948 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\CONHOST.EXE 2024-03-04T09:39:45.871Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x101410 to 0x101400 for protected process PID: 15052 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 8580 \DEVICE\HARDDISKVOLUME3\WINDOWS\CCM\CCMEXEC.EXE 2024-03-04T09:39:45.914Z SED Obj Info Count: 1 Blocked: Create process handle access changed from 0x1FFFFF to 0x10D400 for protected process PID: 15052 \DEVICE\HARDDISKVOLUME3\PROGRAMDATA\SOPHOS\AUTOUPDATE\CACHE\SOPHOS_AUTOUPDATE1.DIR\SU-REPAIR.EXE by process PID: 10388 \DEVICE\HARDDISKVOLUME3\WINDOWS\SYSTEM32\CONHOST.EXE
May I ask if an uninstall and reinstall has been attempted already?
Why do we need to reinstall the client? i have shared with you logs and can we get some more information.
There is a 32-bit SophosED.dll and a 64-bit DLL which reside in the following locations:
64-bit - C:\Windows\System32\SophosED\SophosED.dll
32-bit - C:\Windows\Syswow64\SophosED\SophosED.dll
Assuming there aren't any pending restarts and pending files, you could do a quick test to confirm that the file downloaded is the same as the "installed" files on disk by running:
fc.exe C:\Windows\System32\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x64\SophosED.dll
fc.exe C:\Windows\SysWOW64\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x86\SophosED.dll
I assume the actual files are fine but they could be corrupt and this should check.
These DLLs are injected into processes as they start. The SophosED.sys file system filter driver does the injecting. 32-bit processes get the 32-bit DLL, 64-bit, the 64-bit DLL.
It only injects the DLLs if Data Control is enabled, and only into a set list of processes as defined in the registry: DlpProcessList under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config
Which is why only some processes are affected.
Do you have some sort of mitigation rules applied to the processes to prevent certain DLLs?
Maybe check the CI event log.
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx
Anything in there?
It maybe worth running Process Monitor when you launch one of the processes in the DlpProcessList, just to see if you see the DLL being read, etc and what comes after. Any clues there?
I would also check the cert path of the cert to make sure that is fine.
The CAPI2 event log might be interesting as well if this shows issues.
