This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

C:\Windows\System32\SophosED\SophosED.dll is either not designed to run on windows10

Hi Team,

Some of the users have started to complain about the error after system restarting they are getting (C:\Windows\System32\SophosED\SophosED.dll is either not designed to run on windows 10 22H2).

I am attaching the screenshot for more info.



This thread was automatically locked due to age.
Parents
  • There is a 32-bit SophosED.dll and a 64-bit DLL which reside in the following locations:

    64-bit -  C:\Windows\System32\SophosED\SophosED.dll

    32-bit -  C:\Windows\Syswow64\SophosED\SophosED.dll

    Assuming there aren't any pending restarts and pending files, you could do a quick test to confirm that the file downloaded is the same as the "installed" files on disk by running:

    fc.exe C:\Windows\System32\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x64\SophosED.dll

    fc.exe C:\Windows\SysWOW64\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x86\SophosED.dll

    I assume the actual files are fine but they could be corrupt and this should check.

    These DLLs are injected into processes as they start.  The SophosED.sys file system filter driver does the injecting. 32-bit processes get the 32-bit DLL, 64-bit, the 64-bit DLL.

    It only injects the DLLs if Data Control is enabled, and only into a set list of processes as defined in the registry: DlpProcessList under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config

    Which is why only some processes are affected.

    Do you have some sort of mitigation rules applied to the processes to prevent certain DLLs?

    Maybe check the CI event log.
    %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

    Anything in there?

    It maybe worth running Process Monitor when you launch one of the processes in the DlpProcessList, just to see if you see the DLL being read, etc and what comes after. Any clues there?

    I would also check the cert path of the cert to make sure that is fine.

    The CAPI2 event log might be interesting as well if this shows issues.

Reply
  • There is a 32-bit SophosED.dll and a 64-bit DLL which reside in the following locations:

    64-bit -  C:\Windows\System32\SophosED\SophosED.dll

    32-bit -  C:\Windows\Syswow64\SophosED\SophosED.dll

    Assuming there aren't any pending restarts and pending files, you could do a quick test to confirm that the file downloaded is the same as the "installed" files on disk by running:

    fc.exe C:\Windows\System32\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x64\SophosED.dll

    fc.exe C:\Windows\SysWOW64\SophosED\SophosED.dll C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\x86\SophosED.dll

    I assume the actual files are fine but they could be corrupt and this should check.

    These DLLs are injected into processes as they start.  The SophosED.sys file system filter driver does the injecting. 32-bit processes get the 32-bit DLL, 64-bit, the 64-bit DLL.

    It only injects the DLLs if Data Control is enabled, and only into a set list of processes as defined in the registry: DlpProcessList under:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sophos Endpoint Defense\Scanning\Config

    Which is why only some processes are affected.

    Do you have some sort of mitigation rules applied to the processes to prevent certain DLLs?

    Maybe check the CI event log.
    %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx

    Anything in there?

    It maybe worth running Process Monitor when you launch one of the processes in the DlpProcessList, just to see if you see the DLL being read, etc and what comes after. Any clues there?

    I would also check the cert path of the cert to make sure that is fine.

    The CAPI2 event log might be interesting as well if this shows issues.

Children
No Data