Hi Team,
Some of the users have started to complain about the error after system restarting they are getting (C:\Windows\System32\SophosED\SophosED.dll is either not designed to run on windows 10 22H2).
I am attaching the screenshot for more info.
There is a 32-bit SophosED.dll and a 64-bit DLL which reside in the following locations:
64-bit - C:\Windows\System32\SophosED\SophosED.dll
32-bit - C:\Windows\Syswow64\SophosED\SophosED.dll
Assuming there aren't any pending restarts and pending files, you could do a quick test to confirm that the file downloaded is the same as the "installed" files on disk by running:
fc.exe C:\Windows\System32\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x64\SophosED.dll
fc.exe C:\Windows\SysWOW64\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x86\SophosED.dll
I assume the actual files are fine but they could be corrupt and this should check.
These DLLs are injected into processes as they start. The SophosED.sys file system filter driver does the injecting. 32-bit processes get the 32-bit DLL, 64-bit, the 64-bit DLL.
It only injects the DLLs if Data Control is enabled, and only into a set list of processes as defined in the registry: DlpProcessList under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config
Which is why only some processes are affected.
Do you have some sort of mitigation rules applied to the processes to prevent certain DLLs?
Maybe check the CI event log.
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx
Anything in there?
It maybe worth running Process Monitor when you launch one of the processes in the DlpProcessList, just to see if you see the DLL being read, etc and what comes after. Any clues there?
I would also check the cert path of the cert to make sure that is fine.
The CAPI2 event log might be interesting as well if this shows issues.
There is a 32-bit SophosED.dll and a 64-bit DLL which reside in the following locations:
64-bit - C:\Windows\System32\SophosED\SophosED.dll
32-bit - C:\Windows\Syswow64\SophosED\SophosED.dll
Assuming there aren't any pending restarts and pending files, you could do a quick test to confirm that the file downloaded is the same as the "installed" files on disk by running:
fc.exe C:\Windows\System32\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x64\SophosED.dll
fc.exe C:\Windows\SysWOW64\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x86\SophosED.dll
I assume the actual files are fine but they could be corrupt and this should check.
These DLLs are injected into processes as they start. The SophosED.sys file system filter driver does the injecting. 32-bit processes get the 32-bit DLL, 64-bit, the 64-bit DLL.
It only injects the DLLs if Data Control is enabled, and only into a set list of processes as defined in the registry: DlpProcessList under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config
Which is why only some processes are affected.
Do you have some sort of mitigation rules applied to the processes to prevent certain DLLs?
Maybe check the CI event log.
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx
Anything in there?
It maybe worth running Process Monitor when you launch one of the processes in the DlpProcessList, just to see if you see the DLL being read, etc and what comes after. Any clues there?
I would also check the cert path of the cert to make sure that is fine.
The CAPI2 event log might be interesting as well if this shows issues.
