SOPHOOS~1.DLL and sophos_detoured.dll

Hi Everyone,

I have been getting alerts on another one of our security products detecting both of the DLL files in the title as malicious. From my research it seems to be when the server the changes happen on reboot. It makes a change to the AppInit DLLs. I just wanted to double check if that seems correct. Below is the REG that it changes triggering the alert.

HKEY_LOCAL_MACHINE\\Software\\WOW6432Node\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs

Thank you all.
Parents
  • Are you using the on-premise SEC managed client?

    Sophos Anti-Virus used to use the AppInit_Dlls key you mention to ensure that the Sophos detours DLL was loaded into processes for the purpose of data control and buffer overflow protection. 

    In the Central client at least, this is no longer used, mainly because it doesn't work if Secure boot is enabled.  Now the sophosed.sys driver injects the DLL as processes start.

    So in summary, this is something that the Sophos Anti-Virus install used to do but no longer does.  I can only think you must be running an old version of Sophos.

Reply
  • Are you using the on-premise SEC managed client?

    Sophos Anti-Virus used to use the AppInit_Dlls key you mention to ensure that the Sophos detours DLL was loaded into processes for the purpose of data control and buffer overflow protection. 

    In the Central client at least, this is no longer used, mainly because it doesn't work if Secure boot is enabled.  Now the sophosed.sys driver injects the DLL as processes start.

    So in summary, this is something that the Sophos Anti-Virus install used to do but no longer does.  I can only think you must be running an old version of Sophos.

Children