Overview

As of Sophos Exploit Prevention version 3.17.17 (release commencing June 25th 2020) all files and drivers are signed with only SHA256 (previously they were SHA1 and SHA256 signed). This is a Microsoft driven change. In March 2019, Microsoft released an update to Windows 7 and Windows 2008 R2 to support SHA256 only driver signing. This Microsoft update is required in order to install and run Sophos Exploit Prevention.

Please see below Microsoft article regarding this issue:

Note: This affects Windows 7 and Windows 2008 R2 operating systems. Operating system that are fully up to date with Windows Updates will not be impacted. 

For any operating system that does not have the Microsoft updates the following will be seen:

• New installations:
  
  New installations will fail and the following error is reported to Enterprise Console following the installation attempt:
  
  00000067 Failed to install Sophos Exploit Prevention: Plug-in setup has failed
  
  
  Locally on the computer, the ‘HitmanPro.Alert service’ will be present but stopped. Attempting to start the service will return the following error:
  
  
  
• Upgrades
  
  Upgrades to the new version will fail. No error will be reported to Enterprise Console but the computer will display under Policy compliance a ‘Differs from policy’ state and the Exploit prevention status will display ‘Inactive’:
  
  
  
  Locally on the computer, the ‘HitmanPro.Alert service’ will be stopped. Attempting to start the service will return the following error:
  
  

The following sections are covered:

• What to do
• Related information

Applies to the following Sophos products and versions
Sophos Exploit Protection
Enterprise Console

What to do

To allow an installation or upgrade of Exploit Prevention you must perform Windows Updates to get the latest updates. Alternately, install Windows KBs 4474419 and 4490628.