Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 6 subscribers
  • Views 27524 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Boot failure - Sophosed.sys corrupted

Bradford Lubell

The Sophosed.sys file is corrupted causing a Windows 10 system boot failure.  This driver file is located in \Windows\System32\Drivers\.  Only the command prompt (not Safeboot) can be accessed.  I can access an external USB drive and can transfer files.  Where can I find a copy of this file?  Or is there anyway to uninstall/disable Sophos from a command line?



This thread was automatically locked due to age.
Parents
  • +1

    You might find a copy here:

    C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64

    This is the file downloaded by AutoUpate before being installed.

    I assume if you rename \Windows\System32\Drivers\sophosed.sys, the computer boots fine?

    Regards,

    Jak

  • 0 in reply to jak

    Ran into boot failure for the same reason on a Server 2008 R2 x64 (not sp1) ESXi vm running Sophos Central Endpoint Agent 2.6.0 BETA.  Boot attempts resulted in Status: 0xc0000225 Info: The boot selection failed because a required device is inaccessible.  Same failure attempting boot into safe mode or repair from the OS boot menu.  Startup repair attempt from the 2008 R2 iso environment failed but the log from that indicated Boot critical file \windows\system32\drivers\sophosed.sys is corrupt.  Renaming that file as Jak pointed out has fixed the Windows boot failure.  After getting back into Windows the Sophos endpoint showed service failures due to Sophos Endpoint Defense Mini-Filter (SophosED) stopped that didn't resolve after manually updating or rebooting.  Renaming the file back and rebooting resulted in the same boot failure requiring renaming it again from the iso repair environment.  The sophosed.sys timestamp and size within \system32\drivers was identical to the one in C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\ - Sophos uninstall attempts from gui or cli or safe mode failed due to being unable to stop some services even with tamper protect disabled and service startup types changed to disabled.  Eventually got it uninstalled cleanly through some combination of manually disabling services, cli uninstallers, and reboots and was then fresh install succeeded.  This isn't SEC but the underlying component causing the problem seems to be related between the products and hopefully the keywords benefit others searching.

     

     

     

     

     

     

    EDIT: installing SP1 for 2008 R2 and latest windows updates resolves the problem and probably ties into this: https://community.sophos.com/kb/en-us/135504

  • 0 in reply to onward

    Hi  

    Thank you for updating the steps you have performed to resolve the issue, just to add you can also take a look at Sophos ZAP tool if at all you are facing the issues while uninstallation. 

    Shweta

    Community Support Engineer | Sophos Technical Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
    The New Home of Sophos Support Videos! - Visit Sophos Techvids
Reply Children
No Data
Unfiltered HTML