This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Boot failure - Sophosed.sys corrupted

The Sophosed.sys file is corrupted causing a Windows 10 system boot failure.  This driver file is located in \Windows\System32\Drivers\.  Only the command prompt (not Safeboot) can be accessed.  I can access an external USB drive and can transfer files.  Where can I find a copy of this file?  Or is there anyway to uninstall/disable Sophos from a command line?



This thread was automatically locked due to age.
Parents
  • You might find a copy here:

    C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64

    This is the file downloaded by AutoUpate before being installed.

    I assume if you rename \Windows\System32\Drivers\sophosed.sys, the computer boots fine?

    Regards,

    Jak

  • Ran into boot failure for the same reason on a Server 2008 R2 x64 (not sp1) ESXi vm running Sophos Central Endpoint Agent 2.6.0 BETA.  Boot attempts resulted in Status: 0xc0000225 Info: The boot selection failed because a required device is inaccessible.  Same failure attempting boot into safe mode or repair from the OS boot menu.  Startup repair attempt from the 2008 R2 iso environment failed but the log from that indicated Boot critical file \windows\system32\drivers\sophosed.sys is corrupt.  Renaming that file as Jak pointed out has fixed the Windows boot failure.  After getting back into Windows the Sophos endpoint showed service failures due to Sophos Endpoint Defense Mini-Filter (SophosED) stopped that didn't resolve after manually updating or rebooting.  Renaming the file back and rebooting resulted in the same boot failure requiring renaming it again from the iso repair environment.  The sophosed.sys timestamp and size within \system32\drivers was identical to the one in C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\ - Sophos uninstall attempts from gui or cli or safe mode failed due to being unable to stop some services even with tamper protect disabled and service startup types changed to disabled.  Eventually got it uninstalled cleanly through some combination of manually disabling services, cli uninstallers, and reboots and was then fresh install succeeded.  This isn't SEC but the underlying component causing the problem seems to be related between the products and hopefully the keywords benefit others searching.

     

     

     

     

     

     

    EDIT: installing SP1 for 2008 R2 and latest windows updates resolves the problem and probably ties into this: https://community.sophos.com/kb/en-us/135504

Reply
  • Ran into boot failure for the same reason on a Server 2008 R2 x64 (not sp1) ESXi vm running Sophos Central Endpoint Agent 2.6.0 BETA.  Boot attempts resulted in Status: 0xc0000225 Info: The boot selection failed because a required device is inaccessible.  Same failure attempting boot into safe mode or repair from the OS boot menu.  Startup repair attempt from the 2008 R2 iso environment failed but the log from that indicated Boot critical file \windows\system32\drivers\sophosed.sys is corrupt.  Renaming that file as Jak pointed out has fixed the Windows boot failure.  After getting back into Windows the Sophos endpoint showed service failures due to Sophos Endpoint Defense Mini-Filter (SophosED) stopped that didn't resolve after manually updating or rebooting.  Renaming the file back and rebooting resulted in the same boot failure requiring renaming it again from the iso repair environment.  The sophosed.sys timestamp and size within \system32\drivers was identical to the one in C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\ - Sophos uninstall attempts from gui or cli or safe mode failed due to being unable to stop some services even with tamper protect disabled and service startup types changed to disabled.  Eventually got it uninstalled cleanly through some combination of manually disabling services, cli uninstallers, and reboots and was then fresh install succeeded.  This isn't SEC but the underlying component causing the problem seems to be related between the products and hopefully the keywords benefit others searching.

     

     

     

     

     

     

    EDIT: installing SP1 for 2008 R2 and latest windows updates resolves the problem and probably ties into this: https://community.sophos.com/kb/en-us/135504

Children