This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SOPHOOS~1.DLL and sophos_detoured.dll

Hi Everyone,

I have been getting alerts on another one of our security products detecting both of the DLL files in the title as malicious. From my research it seems to be when the server the changes happen on reboot. It makes a change to the AppInit DLLs. I just wanted to double check if that seems correct. Below is the REG that it changes triggering the alert.

HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs

Thank you all.

This thread was automatically locked due to age.

Top Replies

Sophos User930 over 2 years ago in reply to TheNewGuy +2 verified

Well the keys you mention are only added by the Sophos Anti-Virus installer at install. When Sophos performs a major update, it might uninstall and re-install which could cause it to remove and re-add…

Parents

0 Sophos User930 over 2 years ago

Are you using the on-premise SEC managed client?

Sophos Anti-Virus used to use the AppInit_Dlls key you mention to ensure that the Sophos detours DLL was loaded into processes for the purpose of data control and buffer overflow protection.

In the Central client at least, this is no longer used, mainly because it doesn't work if Secure boot is enabled. Now the sophosed.sys driver injects the DLL as processes start.

So in summary, this is something that the Sophos Anti-Virus install used to do but no longer does. I can only think you must be running an old version of Sophos.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Sophos User930 over 2 years ago

Are you using the on-premise SEC managed client?

Sophos Anti-Virus used to use the AppInit_Dlls key you mention to ensure that the Sophos detours DLL was loaded into processes for the purpose of data control and buffer overflow protection.

In the Central client at least, this is no longer used, mainly because it doesn't work if Secure boot is enabled. Now the sophosed.sys driver injects the DLL as processes start.

So in summary, this is something that the Sophos Anti-Virus install used to do but no longer does. I can only think you must be running an old version of Sophos.
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Sophos User930 over 2 years ago in reply to Sophos User930

Sophos Endpoint: UEFI and Secure Boot compatible computers prevent Data Control from working details this. What OS are you seeing this on? Windows 7?
Cancel
Vote Up 0 Vote Down

Cancel
0 TheNewGuy over 2 years ago in reply to Sophos User930

It could absolutely be out of date. It does it about once a month. The OS is Windows Server 2012. I think I will check the updates and see if that is once triggering it. Thank you for the help.
Cancel
Vote Up 0 Vote Down

Cancel
0 Sophos User930 over 2 years ago in reply to TheNewGuy

I think 2012 and Windows 7 are the same platform, so it could be that Sophos on that OS still uses the appinit_dlls key which is fine. Unless it's causing an issue?
Cancel
Vote Up 0 Vote Down

Cancel
0 TheNewGuy over 2 years ago in reply to Sophos User930

So currently it is up to date. SOPHOS~1 ran twice this month on the device but our other security tool only reported it as malicious once. I will keep researching.
Cancel
Vote Up 0 Vote Down

Cancel
0 TheNewGuy over 2 years ago in reply to Sophos User930

No issues just researching to see if this was malicious as reported or was a false alarm. I am leaning to false alarm but wanted to provide better info on why.
Cancel
Vote Up 0 Vote Down

Cancel
+1 Sophos User930 over 2 years ago in reply to TheNewGuy

Well the keys you mention are only added by the Sophos Anti-Virus installer at install. When Sophos performs a major update, it might uninstall and re-install which could cause it to remove and re-add the keys. This wouldn't happen more than once a month. It is all expected.
Cancel
Vote Up +2 Vote Down

Cancel