Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 2 answers
  • Subscribers 11 subscribers
  • Views 52088 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Getting Error After New Update (Sophos~1.DLL)

Sophos User1282

Hello everyone, 

Today we started receiving errors on a couple of our windows machines, particularly the ones with Windows 7 Installed. 

The error states 

Window Title > LogonUI.exe Bad Image

Message > C:\Windows\system32\SophosAV\SOPHOS~1.DLL\ is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.

I had an issue were the Sophos UI was all broken on these machines therefore I had to use cmd for Anti Tamper deactivation. 

The error persists even after reinstalling Sophos, also the installer has been downloaded straight from Sophos Central. 

Any help would be appreciated. 

Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    I have exactly the same issue in all PCs (70 PCs) same error when we try to open any application

  • +1 in reply to Khaled Maged

    Does installing the Microsoft patches help? KBs 4474419 and 4490628.

    If the referenced DLL is just the issue, there are a few ways to prevent them loading. They are loaded into processes as they start based on the keys:

    Native processes, i.e. 64 on 64-bit or 32-bit on 32-bit:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\system32\\SophosAV\\SOPHOS~1.DLL"
    "LoadAppInit_DLLs"=dword:00000001

    32-bit on 64-bit:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\SysWOW64\\SophosAV\\SOPHOS~1.DLL"
    "LoadAppInit_DLLs"=dword:00000001

    The paths are 8.3 and they are essentially here:

    • Native - C:\Windows\System32\SophosAV\sophos_detoured_x64.dll
    • 32-bit on 64 - C:\Windows\SysWOW64\SophosAV\sophos_detoured.dll

    The LoadAppInit_DLLs DWORD has to be 1 for this technology to work.  The Sophos installer does set it if it updates but if you set 

    "LoadAppInit_DLLs"=dword:00000001 to 0 for each, then the DLLs referenced in the  AppInit_DLLs key will not get loaded.

    Of course you could equally remove the Sophos paths in the keys.  This would be the case if there were other AppInit DLLs in use.

    The Sohos installer also has a key, according to

    https://community.sophos.com/products/sophos-central/f/general/102069/not-able-to-install-sophos-endpoint-after-uninstall

    64-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    32-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    This will prevent the installer from adding the AppInit DLLs.

    Of course, some of these will be protected by Tamper Protection but it might give you some options if you fully understand how it becomes to be loaded and installed.

    The DLL is really only used now for Data Control.

    Regards,

    Jak

Reply
  • +1 in reply to Khaled Maged

    Does installing the Microsoft patches help? KBs 4474419 and 4490628.

    If the referenced DLL is just the issue, there are a few ways to prevent them loading. They are loaded into processes as they start based on the keys:

    Native processes, i.e. 64 on 64-bit or 32-bit on 32-bit:

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\system32\\SophosAV\\SOPHOS~1.DLL"
    "LoadAppInit_DLLs"=dword:00000001

    32-bit on 64-bit:

    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"="C:\\WINDOWS\\SysWOW64\\SophosAV\\SOPHOS~1.DLL"
    "LoadAppInit_DLLs"=dword:00000001

    The paths are 8.3 and they are essentially here:

    • Native - C:\Windows\System32\SophosAV\sophos_detoured_x64.dll
    • 32-bit on 64 - C:\Windows\SysWOW64\SophosAV\sophos_detoured.dll

    The LoadAppInit_DLLs DWORD has to be 1 for this technology to work.  The Sophos installer does set it if it updates but if you set 

    "LoadAppInit_DLLs"=dword:00000001 to 0 for each, then the DLLs referenced in the  AppInit_DLLs key will not get loaded.

    Of course you could equally remove the Sophos paths in the keys.  This would be the case if there were other AppInit DLLs in use.

    The Sohos installer also has a key, according to

    https://community.sophos.com/products/sophos-central/f/general/102069/not-able-to-install-sophos-endpoint-after-uninstall

    64-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    32-bit computers:
    [HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\SAVService\SetupOptions]
    "DetourDLLState"="excluded"

    This will prevent the installer from adding the AppInit DLLs.

    Of course, some of these will be protected by Tamper Protection but it might give you some options if you fully understand how it becomes to be loaded and installed.

    The DLL is really only used now for Data Control.

    Regards,

    Jak

Children
Unfiltered HTML