Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Subscribers 1 subscriber
  • Views 17827 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Cannot disable Sophos 10 LSP

ThisGuy

We're having issues disabling the Sophos 10 64-bit LSP using the following command:

C:\ProgramData\Sophos\Web Intelligence\swi_lsp32_util.exe -u -d swi_ifslsp_64.dll 

This works on he 32-bit version, but not the 64. After running the above command we get the following error:

retrieveLSPGUID: LoadLibraryA(swi_ifslsp_64.dll) failed: 193

Has anyone run into this before? Google didn't have much to say about that error. 

Thanks in advance. 

EDIT:

I forgot to add that I also tried using Windows 7 regsvr32 /u, but it did not work. I got the following error:

The module "C:\Program Data\Sophos\Web Intelligence\swi_ifslsp_64.dll" failed to load.

Make sure the binary is stored at the specified path or debug it to check for problems with the binary or dependent .DLL files.

The specified module could not be found.

:55021


This thread was automatically locked due to age.
  • 0

    The LSP is disabled as a result of the following features being disabled:

    • Web Control
    • Download scanning
    • Malicious website blocking

    All 3 use the LSP but if all are disabled there is no need for the LSP.

    If the computer enters this state then a registry key value called swiupdateaction (off the top of my head) is created under the webintelligence registry key: hklm`software`sophos`webintelligence. It is given the value of 3 (if I recall correctly).

    When the Sophos Web Intelligence Update service next starts (typically at the next startup), if it reads a value of 3 it knows to remove the LSP from winsock.  You could just start the service when in this state to remove it, the idea behind it being deferred to start is to minimise issues with running applications.

    Regards,

    Jak

    :55030
  • 0

    Thanks for the reply!

    I don't see Sophos under HKLM\SOFTWARE. I also did a search through the registry for "swiupdateaction", but no results came back. 

    I'm looking around now for something that fits the path and value you gave. 

    :55051
  • 0

    Hello,

    As an example, on Win7, if I open the SAV UI and go to Configure - Anti-Virus - Web protection, and set both to Off.

    Then if enabled turn off Web control, via: Configure - Web control and disable that.

    Under:
    hklm`software`wow6432node`sophos`web Intelligence`

    (assume 64-bit) there should be a dword value called SwiUpdateAction, and will be set to 3.

    Starting the service:

    Sophos web intelligene update service

    will read that value and remove the LSP.

    This action can be confirmed by running:

    netsh winsock show catalog > cat.txt

    cat.txt will have no reference to Sophos if the LSP is removed.

    Another way of removing the LSPs is to run:

    netsh winsock reset

    But be careful with this one,  it will return winsock to the default state, i.e. remove all LSPs including any other third party ones.

    Checking the cat.txt first would allow you to see if there are any others.

    Regards

    :55053
  • 0

    That's it! Thank you very much, Jak!

    :55054
  • 0

    Alright, so the SwiUpdateAction value was there on one machine. Looking at a few others and they do not have that. I'm looking at both HKLM\SOFTWARE\Sophos\Web Intelligence and HKLM\SOFWARE\Wow6432Node\Sophos\Web Intelligence and SwiUpdateAction is not there. 

    On-access scanning is enabled and the swi_ifslsp.dll is showing in the netsh winsock catalog. 

    EDIT:

    The initial machine where I set the SwiUpdateAction value to "3" from "7" is also no longer showing up. I would think it would show with a value of "3" now, but the "SwiUpdateAction" entry is gone. 

    :55055
Unfiltered HTML