Sophos Advisory – Following re-categorization of DiskCryptor to PUA from AppC some machines fail to boot
Following the re-categorization of DiskCryptor (and BestCrypt) from Controlled Applications (AppC) to Potentially Unwanted Applications (PUAs) to combat a growing number of Ransomware attacks using these tools (further information available here), a limited subset of customers encountered issues where their machines would no longer boot following a reboot.
Sophos was first made aware of this issue on Wednesday 15th July following the release on Monday 13th July.
This issue was triggered as the dcrypt.sys filter driver component of DiskCryptor was correctly identified as a PUA and then cleaned up. Following a reboot of the machines the DiskCryptor bootloader was then unable to load and therefore the system volume was unable to be decrypted and the machines failed to boot.
This issue only affects customers who had not authorized DiskCryptor prior to rebooting their machines.
On Wednesday 15th July the decision was made to temporarily revert this change until such a time as a full investigation and RCA had been completed into the trigger for the issue.
No issues have been identified relating to BestCrypt; however the detection has been rolled back as a precaution.
Applies to the following Sophos product(s) and version(s)
Central Windows Endpoint Intercept X 2.0.17
Central Server Intercept X 2.0.17
Sophos Endpoint Security and Control 10.8.9
Customers affected by the issue who rebooted prior to Wednesday 15th July would see that affected machines are unable to boot into Windows.
Customers running Sophos Endpoint Security and Control (managed by the Sophos Enterprise Console or Standalone) would have seen the PUA detection for DiskCryptor blocked; however no automatic cleanup would have taken place and therefore it is unlikely they would have encountered any boot issues.
Any customer who would potentially have been affected by the issue but did not reboot prior to Wednesday 15th July will not encounter the booting issues as the files will have been restored.
A customer can verify that they are no longer affected by the issue by the below methods:
- The Endpoint UI will confirm that the files have been restored
- An event will be logged against the device in Sophos Central confirming that the files have been restored
- dcrypt.sys will still exist in C:\Windows\System32\Drivers\
- Sophos Labs have rolled back the detections for DiskCryptor and BestCrypt to reduce the impact on any customers who have not yet rebooted
- A full investigation and RCA is underway into the cause and trigger for this issue
- No further detections for DiskCryptor or BestCrypt will be released until the RCA is complete
What to do
- Customers using DiskCryptor who have not encountered the issue but are concerned of any further ramifications should verify that dcrypt.sys has been restored or is still available on their machines prior to any reboots
- Any customers who have machines that are failing to boot will need to:
- Boot the machine into a preboot environment (such as WinPE)
- Locate a copy of the dcrypt.sys driver from a working machine
- Copy this file into the correct location on the failing machine (using the preboot software)
- On the next boot Windows should load