Sophos Community
  • User
  • Help
  • Site
  • Search
  • User
  • All Groups
  • Knowledge Base
  • Community Blog
  • Member Recognition
  • More
  • Cancel

Knowledge Base

  • Advisories
  • +CyberoamOS
  • +Data Control and DLP
  • Email Appliance
  • +Endpoint Security and Control
  • +Free Tools
  • +General
  • +Mobile
  • +PureMessage
  • +Reflexion
  • +SafeGuard encryption
  • +Server protection
  • +Sophos Central
  • Sophos Clean
  • Sophos Home
  • +Sophos UTM 9
  • Web Appliance
  • +XG Firewall
Tweets by SophosSupport

Advisory: Winlogon.exe detected as Troj/FarFli-CT

  • Article ID: 125000
  • Updated: 6 Jun 2017
  • 93 people found this helpful
  • Available in: English | Español | Italiano | 日本語 | Français | Deutsch

This was resolved in September 2016 and no action is required. However, this article remains available for reference purposes only.

Background and Context

On September 4, 2016, Sophos experienced a fault in one of our endpoint protection verification systems and incorrectly identified a known good file as malware on a specific version of 32-bit Windows 7 SP1. Sophos issued a fix that corrected the problem within hours. A very small number of users running this specific 32-bit version of Windows 7 SP1 may have required an additional procedure to be able to log on to an affected computer.

Based on current case volume and customer feedback, we believe the number of impacted systems to be minimal and confined to a small number of cases. The most common impact to our customer base is that some administrators may need to clear several erroneous alerts from their administrator consoles.

Details

In your Console (Sophos Enterprise Console, Sophos Central, Sophos UTM or Sophos Home) you may see something similar to this:

Virus/spyware 'Troj/FarFli-CT' has been detected in "C:\Windows\System32\winlogon.exe". Cleanup unavailable.

SophosLabs has fixed this issue in the IDE "java-aqr.ide" which was released on Sunday, September 4, 2016 at 7am UTC. All endpoints should have received this update or will receive this update when they turn on. Once deployed to endpoints no further alerts will be generated, although a number of manual actions may be required.

This only affected some computers running 32-bit Windows 7 SP1.

In most cases the main action needed is to clear the alerts from the Console:

  • In Sophos Enterprise Console (SEC) right-clicking and selecting “Resolve Alerts and Errors”

  • In Sophos Central clicking “Mark as Acknowledged”

  • In Sophos UTM clicking “Resolve All”

  • In Sophos Home clicking “Ignore”

In a few cases, depending on the policy in force and depending whether the user attempted a log in before the fix was in place, users may see a black screen on their machine when attempting to login after entering their credentials. In such instances, the recommendation is simply to wait for about 15 minutes:

  1. Wait for the next scheduled Sophos update to trigger. This is typically around 5 minutes from boot.

  2. Following the Sophos update, a Microsoft ten minute retry loop checks for the presence of winlogon.exe allowing logon to complete.

In rare instances, where the default Windows setting has been changed to disable Microsoft System Protection, additional steps may be needed to restore winlogon.exe. Please contact your local Sophos support team for further assistance.

You may also want to clear any residual alerts related to 'Troj/FarFli-CT' from the local Quarantine (although this step is not needed to return the computer to normal operation):

  1. Open Sophos Endpoint Security and Control

  2. Click the Quarantine link

  3. Select the quarantined event for 'Troj/FarFli-CT'

  4. Click Clear from list

Customers running Sophos for vShield may have experienced a blue screen on a Guest VM as opposed to a black screen. As long as the SVM is running and up to date, guest VMs should operate correctly without further issues once restarted.

Related information

  • How to determine whether you're receiving the latest data protection updates
  • Latest data protection update information

Feedback and contact

If you have spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article.
This is invaluable to us to ensure that we continually strive to give our customers the best information possible.

Article appears in the following topics
  • Endpoint Security and Control > Endpoint protection

Did this article provide the information you were looking for?

Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.

  • Submit
Sophos Footer
  • T&Cs
  • Help
  • Cookie Info
  • Contact Support

© 1997 - 2019 Sophos Ltd. All rights reserved.