This was resolved in September 2016 and no action is required. However, this article remains available for reference purposes only.
On September 4, 2016, Sophos experienced a fault in one of our endpoint protection verification systems and incorrectly identified a known good file as malware on a specific version of 32-bit Windows 7 SP1. Sophos issued a fix that corrected the problem within hours. A very small number of users running this specific 32-bit version of Windows 7 SP1 may have required an additional procedure to be able to log on to an affected computer.
Based on current case volume and customer feedback, we believe the number of impacted systems to be minimal and confined to a small number of cases. The most common impact to our customer base is that some administrators may need to clear several erroneous alerts from their administrator consoles.
In your Console (Sophos Enterprise Console, Sophos Central, Sophos UTM or Sophos Home) you may see something similar to this:
Virus/spyware 'Troj/FarFli-CT' has been detected in "C:\Windows\System32\winlogon.exe". Cleanup unavailable.
SophosLabs has fixed this issue in the IDE "java-aqr.ide" which was released on Sunday, September 4, 2016 at 7am UTC. All endpoints should have received this update or will receive this update when they turn on. Once deployed to endpoints no further alerts will be generated, although a number of manual actions may be required.
This only affected some computers running 32-bit Windows 7 SP1.
In most cases the main action needed is to clear the alerts from the Console:
In a few cases, depending on the policy in force and depending whether the user attempted a log in before the fix was in place, users may see a black screen on their machine when attempting to login after entering their credentials. In such instances, the recommendation is simply to wait for about 15 minutes:
In rare instances, where the default Windows setting has been changed to disable Microsoft System Protection, additional steps may be needed to restore winlogon.exe. Please contact your local Sophos support team for further assistance.
You may also want to clear any residual alerts related to 'Troj/FarFli-CT' from the local Quarantine (although this step is not needed to return the computer to normal operation):
Customers running Sophos for vShield may have experienced a blue screen on a Guest VM as opposed to a black screen. As long as the SVM is running and up to date, guest VMs should operate correctly without further issues once restarted.
If you have spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.