Following the re-categorization of DiskCryptor (and BestCrypt) from Controlled Applications (AppC) to Potentially Unwanted Applications (PUAs) to combat a growing number of Ransomware attacks using these tools (further information available here), a limited subset of customers encountered issues where their machines would no longer boot following a reboot. Sophos was first made aware of this issue on Wednesday 15th July following the release on Monday 13th July. This issue was triggered as the dcrypt.sys filter driver component of DiskCryptor was correctly identified as a PUA and then cleaned up. Following a reboot of the machines the DiskCryptor bootloader was then unable to load and therefore the system volume was unable to be decrypted and the machines failed to boot. This issue only affects customers who had not authorized DiskCryptor prior to rebooting their machines. On Wednesday 15th July the decision was made to temporarily revert this change until such a time as a full investigation and RCA had been completed into the trigger for the issue. No issues have been identified relating to BestCrypt; however the detection has been rolled back as a precaution.
Applies to the following Sophos product(s) and version(s) Central Windows Endpoint Intercept X 2.0.17Central Server Intercept X 2.0.17Sophos Endpoint Security and Control 10.8.9
Customers affected by the issue who rebooted prior to Wednesday 15th July would see that affected machines are unable to boot into Windows. Customers running Sophos Endpoint Security and Control (managed by the Sophos Enterprise Console or Standalone) would have seen the PUA detection for DiskCryptor blocked; however no automatic cleanup would have taken place and therefore it is unlikely they would have encountered any boot issues. Any customer who would potentially have been affected by the issue but did not reboot prior to Wednesday 15th July will not encounter the booting issues as the files will have been restored. A customer can verify that they are no longer affected by the issue by the below methods:
This article will be updated when information becomes available
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.