BUG in CCleaner v3.05.1409 using Sophos

[John_g]

Hi everyone,

 

I need some time to figure out, why me Sophos Endpoint Security and Control version 9.5 failed to start after some time with an error which does not give really a hint to the problem.

 

-------------------------------------------------------

Involved software

Operating System: Windows 7 Enterprise 64Bit

Sophos Endpoint Security and Control version 9.5

CCleaner v3.05.1409

-------------------------------------------------------

Searching the registry for errors, CCleaner lists the following RegKey:

ActiveX/COM Fehler LocalServer32\C:\PROGRA~1\Sophos\SOPHOS~1\SAVSER~1.EXE HKCR\CLSID\{D2B7A809-15DC-40B4-A1E1-C61EA97191DB}

 

Removing that key leads to the problem, that Sophos Endpoint Security and Control version 9.5

cannot be started again. The error message is (in German):

-------------------------------------------------------

Sie sind kein Mitglied einer Sophos-Gruppe. Um diese Anwendung

starten zu k?nnen, m?ssen Sie ein Mitglied der Gruppe SophosAdministrator,

SophosPowerUser oder SophosUser sein. Wenden Sie sich an den Administrator.

-------------------------------------------------------

The error mesage is definitely wrong, because the user is still a member of

the group SophosAdministrator as it is done from Sophos Setup.

 

Never the less looking into the Eventviewer from windows I finally

found a hint to the problem (in German):

-------------------------------------------------------

Durch die Berechtigungseinstellungen (Computerstandard) wird der SID (S-1-5-19)

f?r Benutzer NT-AUTORIT?T\LOKALER DIENST von Adresse LocalHost (unter Verwendung von LRPC)

keine Berechtigung zum Aktivierung (Lokal) f?r die COM-Serveranwendung

mit CLSID

{D2B7A809-15DC-40B4-A1E1-C61EA97191DB}

und APPID

Nicht verf?gbar

gew?hrt. Die Sicherheitsberechtigung kann mit dem Verwaltungsprogramm f?r Komponentendienste ge?ndert werden.

-------------------------------------------------------

This error occurs every minute and points to the RegKey {D2B7A809-15DC-40B4-A1E1-C61EA97191DB}

which is part of Sophos.

 

To get Sophos running again I had to uninstall it from the system, make a restart

and after that a new installation. Simply running the Installer over an existing installation

did _not_ fix the problem for me!

 

Solution:

A temporary work around is to make an exception for this key in CCleaner, so that it is not removed.

A better solution would be to fix that in next version of CCleaner.

 

Hopefully this is helpful for other users, too.

 

Kind regards

John

[hazelnut]

Thanks John for the detailed report.

 

The devs read all posts so your post will help them.

[Guest MrT]

Thanks, we'll look into this.

[Alan_B]

Hi everyone,

 

I need some time to figure out, why me Sophos Endpoint Security and Control version 9.5 failed to start after some time with an error which does not give really a hint to the problem.

 

To get Sophos running again I had to uninstall it from the system, make a restart

 

Hopefully this is helpful for other users, too.

 

Kind regards

John

 

I accept that CCleaner has been involved in the problem, and it may be quickly fixed by user convenience,

BUT I think it would be far more useful to Sophos users if you notified Sophos and any User Forums of this gross lapse in Sophos security protection.

 

I think it is ludicrous of Sophos to have their customer's protection depend upon a registry key which they fail to protect.

If CCleaner can in ignorance remove or damage that key using normal user privilege,

then any malware that gets on the P.C. will eliminate the opposition without breaking sweat.

 

I have till now had great respect for Sophos,

but this seems to indicate that their security depends upon obscurity, which is bad when the enemy knows the system.

 

I believe this problem is not unique to CCleaner,

there are various Antivirus products that deliberately conceal their need of vital keys and files,

so that malware will not recognise and strike them down,

but it allows CCleaner and related products to innocently remove them as junk.