The Sophos Community will be offline for scheduled maintenance this Saturday, May 27th, at 13:00 UTC for approximately 1 hour. Apologies for any inconvenience caused.
"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
One of the following messages is reported to the console:
e03d000f "The on-access driver was unable to create an impersonation token for file <filename>" or e03d02f0 "Could not obtain an impersonation token for a resource shielding event."
e03d000f "The on-access driver was unable to create an impersonation token for file <filename>"
e03d02f0 "Could not obtain an impersonation token for a resource shielding event."
First seen in Sophos Anti-Virus for Windows 2000+
Part of the resource shielding process is to create an impersonation token based on the supplied access token or the security context of the current thread. This token is what is then sent to the SAVService (on-access scanner) process.
This issue can be seen on several different computers at different times, spread over a long period of time. The error can appear randomly and then disappear due to the computer(s) in question running low of memory temporarily. This performance issue then impedes Sophos Endpoint Security and Control and its ability to scan in various ways.
There are several causes of the alert from an endpoint computer:
The errors mentioned above do not indicate a problem with Sophos Endpoint Security and Control and its ability to scan. As such they can be acknowledged without further action.
If the computer shows an increasing amount of these errors it may be in indication of a larger problem.
Check the Windows event logs (Start | Run | Type: eventvwr.msc | Press return) and look for other incidents of this error and/ or further warnings and errors. Also determine what process(es) are putting the computer under load and at what times/ dates the error is generated. Repeating errors at a particular time of the day could indicate another program/ function, scheduled at that time, is causing the impact on system resources.
See the appropriate Microsoft article below:
For further reading see: RAM, Virtual Memory, Pagefile and all that stuff
Note: Sophos Technical Support does not hold a list of vendor-specific exclusions for third party applications or computer roles. We recommend you contact the particular software vendor for the most precise list.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.