This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting Error After New Update (Sophos~1.DLL)

Hello everyone, 

Today we started receiving errors on a couple of our windows machines, particularly the ones with Windows 7 Installed. 

The error states 

Window Title > LogonUI.exe Bad Image

Message > C:\Windows\system32\SophosAV\SOPHOS~1.DLL\ is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

I had an issue were the Sophos UI was all broken on these machines therefore I had to use cmd for Anti Tamper deactivation. 

The error persists even after reinstalling Sophos, also the installer has been downloaded straight from Sophos Central. 

Any help would be appreciated. 

Thanks!



This thread was automatically locked due to age.
Parents
  • I have exactly the same issue in all PCs (70 PCs) same error when we try to open any application

  • Does installing the Microsoft patches help? KBs 4474419 and 4490628.

    If the referenced DLL is just the issue, there are a few ways to prevent them loading. They are loaded into processes as they start based on the keys:

    Native processes, i.e. 64 on 64-bit or 32-bit on 32-bit:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\system32\\SophosAV\\SOPHOS~1.DLL"
    "LoadAppInit_DLLs"=dword:00000001

    32-bit on 64-bit:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\SysWOW64\\SophosAV\\SOPHOS~1.DLL"
    "LoadAppInit_DLLs"=dword:00000001

    The paths are 8.3 and they are essentially here:

    • Native - C:\Windows\System32\SophosAV\sophos_detoured_x64.dll
    • 32-bit on 64 - C:\Windows\SysWOW64\SophosAV\sophos_detoured.dll

    The LoadAppInit_DLLs DWORD has to be 1 for this technology to work.  The Sophos installer does set it if it updates but if you set 

    "LoadAppInit_DLLs"=dword:00000001 to 0 for each, then the DLLs referenced in the  AppInit_DLLs key will not get loaded.

    Of course you could equally remove the Sophos paths in the keys.  This would be the case if there were other AppInit DLLs in use.

    The Sohos installer also has a key, according to

    https://community.sophos.com/products/sophos-central/f/general/102069/not-able-to-install-sophos-endpoint-after-uninstall

    64-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    32-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    This will prevent the installer from adding the AppInit DLLs.

    Of course, some of these will be protected by Tamper Protection but it might give you some options if you fully understand how it becomes to be loaded and installed.

    The DLL is really only used now for Data Control.

    Regards,

    Jak

  • Updating this thread. Please view the following KBA:


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • Thanks for detailed information.


    there is two of same update for same os.
    which ones has to be installed?


    kb4474419
    2019-08 Security Update for Windows 7 for x64-based Systems (KB4474419) Windows 7 Security Updates 8/12/2019
    2019-09 Security Update for Windows 7 for x64-based Systems (KB4474419) Windows 7 Security Updates 9/9/2019

    kb4490628
    2019-03 Servicing Stack Update for Windows 7 for x64-based Systems (KB4490628) Windows 7 Security Updates 3/10/2019
    2019-03 Servicing Stack Update for Windows 7 for x64-based Systems (KB4490628) Windows 7 Security Updates 3/11/2019

Reply
  • Thanks for detailed information.


    there is two of same update for same os.
    which ones has to be installed?


    kb4474419
    2019-08 Security Update for Windows 7 for x64-based Systems (KB4474419) Windows 7 Security Updates 8/12/2019
    2019-09 Security Update for Windows 7 for x64-based Systems (KB4474419) Windows 7 Security Updates 9/9/2019

    kb4490628
    2019-03 Servicing Stack Update for Windows 7 for x64-based Systems (KB4490628) Windows 7 Security Updates 3/10/2019
    2019-03 Servicing Stack Update for Windows 7 for x64-based Systems (KB4490628) Windows 7 Security Updates 3/11/2019

Children
No Data