Issues with Sophos Endpoint Protection

[paul-duxbury]

Please confirm these before moving forward

• I have searched for my issue and have not found a work-in-progress/duplicate/resolved issue.
• I have tested that this issue has not been fixed in the latest (beta or stable) release.
• I have checked the FAQ section for solutions.
• This issue is about a bug (if it is not, please use the correct template).

UniGetUI Version

3.3.7

Windows version, edition, and architecture

Windows 11 25H2 x64

Describe your issue

when unigetui starts to update some applications it triggers a ProcessTokenAccessGuard with the Windows Command Processor which then results is sophos detecting malicious behaviour and isolating the machine from all network connectivity. This has only happend in the latest version of unigetui, previous version was fine.

Steps to reproduce the issue

No response

UniGetUI Log

[07/04/2026 20:51:51]    __  __      _ ______     __  __  ______
                        / / / /___  (_) ____/__  / /_/ / / /  _/
                       / / / / __ \/ / / __/ _ \/ __/ / / // /
                      / /_/ / / / / / /_/ /  __/ /_/ /_/ // /
                      \____/_/ /_/_/\____/\___/\__/\____/___/
                          Welcome to UniGetUI Version 3.3.7
[07/04/2026 20:51:51]
[07/04/2026 20:51:51] Build 106
[07/04/2026 20:51:51] Data directory C:\Users\paul.duxbury\AppData\Local\UniGetUI
[07/04/2026 20:51:51] Encoding Code Page set to 850
[07/04/2026 20:51:52] Loaded language locale: en
[07/04/2026 20:51:52] Could not retrieve token (it may not exist): Element not found.
                      
                      Cannot get credential from Vault
[07/04/2026 20:51:52] Lang files were updated successfully from GitHub
[07/04/2026 20:51:52] Checking for internet connectivity...
[07/04/2026 20:51:52] DWM Thread was already running
[07/04/2026 20:51:52] XAML Thread was already running
[07/04/2026 20:51:52] DWM Thread was already running
[07/04/2026 20:51:52] XAML Thread was already running
[07/04/2026 20:51:52] Internet connectivity was established.
[07/04/2026 20:51:52] Old chocolatey path does not exist, not migrating Chocolatey
[07/04/2026 20:51:52] Begin "which" search for command pwsh.exe
[07/04/2026 20:51:52] Begin "which" search for command winget.exe
[07/04/2026 20:51:52] Begin "which" search for command choco.exe
[07/04/2026 20:51:52] Begin check for updates on endpoint https://www.marticliment.com/versions/unigetui/stable.ver
[07/04/2026 20:51:52] Begin "which" search for command python
[07/04/2026 20:51:52] Begin "which" search for command npm.cmd
[07/04/2026 20:51:52] Using built-in UniGetUI Elevator at C:\Users\paul.duxbury\AppData\Local\Programs\UniGetUI\Assets\Utilities\UniGetUI Elevator.exe
[07/04/2026 20:51:52] Begin "which" search for command cargo.exe
[07/04/2026 20:51:52] Begin "which" search for command vcpkg.exe
[07/04/2026 20:51:52] Begin "which" search for command dotnet.exe
[07/04/2026 20:51:52] Begin "which" search for command powershell.exe
[07/04/2026 20:51:52] Begin "which" search for command pwsh.exe
[07/04/2026 20:51:52] Randomly-generated background API auth token: 1nx7wr3x2vl5i8oqxtvue3b5e9lawnxyztcyy6ymkhpjhzuq2h9y4j5p88hckfrc
[07/04/2026 20:51:52] Call to WhichMultiple with file dotnet.exe returned non-zero status 1
[07/04/2026 20:51:52] Command dotnet.exe was not found on the system
[07/04/2026 20:51:52] .NET Tool is enabled but was not found on the system!
[07/04/2026 20:51:52] Call to WhichMultiple with file vcpkg.exe returned non-zero status 1
[07/04/2026 20:51:52] Command vcpkg.exe was not found on the system
[07/04/2026 20:51:52] Begin "which" search for command vcpkg
[07/04/2026 20:51:52] Command choco.exe was found on C:\Users\paul.duxbury\AppData\Local\UniGetUI\Chocolatey\bin\choco.exe (with 0 more occurrences)
[07/04/2026 20:51:52] Chocolatey is enabled and was found on C:\Users\paul.duxbury\AppData\Local\UniGetUI\Chocolatey\choco.exe
[07/04/2026 20:51:52] Command powershell.exe was found on C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe (with 0 more occurrences)
[07/04/2026 20:51:52] PowerShell is enabled and was found on C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
[07/04/2026 20:51:52] Command npm.cmd was found on C:\Program Files\nodejs\npm.cmd (with 0 more occurrences)
[07/04/2026 20:51:52] Npm is enabled and was found on C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe
[07/04/2026 20:51:52] Command pwsh.exe was found on C:\Program Files\PowerShell\7\pwsh.exe (with 0 more occurrences)
[07/04/2026 20:51:52] Begin "which" search for command scoop.ps1
[07/04/2026 20:51:52] Command winget.exe was found on C:\Users\paul.duxbury\AppData\Local\Microsoft\WindowsApps\winget.exe (with 0 more occurrences)
[07/04/2026 20:51:52] Call to WhichMultiple with file cargo.exe returned non-zero status 1
[07/04/2026 20:51:52] Command cargo.exe was not found on the system
[07/04/2026 20:51:52] Cargo is enabled but was not found on the system!
[07/04/2026 20:51:52] Command pwsh.exe was found on C:\Program Files\PowerShell\7\pwsh.exe (with 0 more occurrences)
[07/04/2026 20:51:52] PowerShell7 is enabled and was found on C:\Program Files\PowerShell\7\pwsh.exe
[07/04/2026 20:51:52] Command python was found on C:\Users\paul.duxbury\AppData\Local\Programs\Python\Python314\python.exe (with 0 more occurrences)
[07/04/2026 20:51:52] Pip is enabled and was found on C:\Users\paul.duxbury\AppData\Local\Programs\Python\Python314\python.exe
[07/04/2026 20:51:52] Call to WhichMultiple with file vcpkg returned non-zero status 1
[07/04/2026 20:51:52] Command vcpkg was not found on the system
[07/04/2026 20:51:52] Begin "which" search for command vcpkg
[07/04/2026 20:51:53] Call to WhichMultiple with file scoop.ps1 returned non-zero status 1
[07/04/2026 20:51:53] Command scoop.ps1 was not found on the system
[07/04/2026 20:51:53] Scoop is enabled but was not found on the system!
[07/04/2026 20:51:53] Got response from endpoint: (106, 3.3.7, 511DBEEA55491205EA053306E5AE1CF692683F6EA2C6162A7029D12B00C79626)
[07/04/2026 20:51:53] Call to WhichMultiple with file vcpkg returned non-zero status 1
[07/04/2026 20:51:53] Command vcpkg was not found on the system
[07/04/2026 20:51:53] Vcpkg root was not found. Please define the %VCPKG_ROOT% environment variable or define it from UniGetUI Settings
[07/04/2026 20:51:53] vcpkg is enabled but was not found on the system!
[07/04/2026 20:51:53] Api running on http://localhost:7058
[07/04/2026 20:51:53] Winget is enabled and was found on C:\Users\paul.duxbury\AppData\Local\Microsoft\WindowsApps\winget.exe
[07/04/2026 20:51:53] ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                      █▀▀▀▀▀▀▀▀▀▀▀▀▀ MANAGER LOADED ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
                      █ Name: PowerShell 7.x (aka PowerShell7)
                      █ Executable name: "pwsh.exe"
                      █ Executable path: "C:\Program Files\PowerShell\7\pwsh.exe"
                      █ Call arguments: " -NoProfile -Command"
                      █ Version: PowerShell 7.6.0
                      █          
                      █ PowerShell 7.x is enabled and ready to go.
                      ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
[07/04/2026 20:51:53] ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                      █▀▀▀▀▀▀▀▀▀▀▀▀▀ MANAGER LOADED ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
                      █ Name: Pip (aka Pip)
                      █ Executable name: "pip"
                      █ Executable path: "C:\Users\paul.duxbury\AppData\Local\Programs\Python\Python314\python.exe"
                      █ Call arguments: "-m pip "
                      █ Version: pip 26.0.1 from C:\Users\paul.duxbury\AppData\Local\Programs\Python\Python314\Lib\site-packages\pip (python 3.14)
                      █          
                      █ Pip is enabled and ready to go.
                      ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
[07/04/2026 20:51:53] ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                      █▀▀▀▀▀▀▀▀▀▀▀▀▀ MANAGER LOADED ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
                      █ Name: WinGet (aka Winget)
                      █ Executable name: "winget.exe"
                      █ Executable path: "C:\Users\paul.duxbury\AppData\Local\Microsoft\WindowsApps\winget.exe"
                      █ Call arguments: ""
                      █ Version: System WinGet (CLI) Version: v1.28.220
                      █          Using Native WinGet helper (COM Api)
                      █          
                      █ WinGet is enabled and ready to go.
                      ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
[07/04/2026 20:51:53] Loaded 3 sources for manager Winget
[07/04/2026 20:51:54] ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                      █▀▀▀▀▀▀▀▀▀▀▀▀▀ MANAGER LOADED ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
                      █ Name: Chocolatey (aka Chocolatey)
                      █ Executable name: "choco.exe"
                      █ Executable path: "C:\Users\paul.duxbury\AppData\Local\UniGetUI\Chocolatey\choco.exe"
                      █ Call arguments: ""
                      █ Version: 2.5.0
                      █          
                      █ Chocolatey is enabled and ready to go.
                      ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
[07/04/2026 20:51:54] UniGetUI Chocolatey was found in the path
[07/04/2026 20:51:55] ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                      █▀▀▀▀▀▀▀▀▀▀▀▀▀ MANAGER LOADED ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
                      █ Name: PowerShell 5.x (aka PowerShell)
                      █ Executable name: "powershell.exe"
                      █ Executable path: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
                      █ Call arguments: " -NoProfile -Command"
                      █ Version: Name                           Value                                                                                   
                      █          ----                           -----                                                                                   
                      █          PSVersion                      5.1.26100.8115                                                                          
                      █          PSEdition                      Desktop                                                                                 
                      █          PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}                                                                 
                      █          BuildVersion                   10.0.26100.8115                                                                         
                      █          CLRVersion                     4.0.30319.42000                                                                         
                      █          WSManStackVersion              3.0                                                                                     
                      █          PSRemotingProtocolVersion      2.3                                                                                     
                      █          SerializationVersion           1.1.0.1
                      █          
                      █ PowerShell 5.x is enabled and ready to go.
                      ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
[07/04/2026 20:51:55] ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                      █▀▀▀▀▀▀▀▀▀▀▀▀▀ MANAGER LOADED ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
                      █ Name: Npm (aka Npm)
                      █ Executable name: "npm"
                      █ Executable path: "C:\WINDOWS\system32\windowspowershell\v1.0\powershell.exe"
                      █ Call arguments: "-NoProfile -ExecutionPolicy Bypass -Command "C:\Program` Files\nodejs\npm.cmd" "
                      █ Version: 11.11.0
                      █          
                      █ Npm is enabled and ready to go.
                      ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
[07/04/2026 20:51:55] Loaded 1 sources for manager Chocolatey
[07/04/2026 20:51:56] Loaded 1 sources for manager PowerShell7
[07/04/2026 20:51:59] Loaded 1 sources for manager PowerShell
[07/04/2026 20:51:59] Checking for internet connectivity...
[07/04/2026 20:51:59] LoadComponentsAsync finished executing. All managers loaded. Proceeding to interface.
[07/04/2026 20:51:59] Internet connectivity was established.
[07/04/2026 20:51:59] Manager Pip has not implemented RefreshPackageIndexes
[07/04/2026 20:51:59] Manager PowerShell has not implemented RefreshPackageIndexes
[07/04/2026 20:51:59] Manager PowerShell7 has not implemented RefreshPackageIndexes
[07/04/2026 20:51:59] Manager Npm has not implemented RefreshPackageIndexes
[07/04/2026 20:51:59] Manager Chocolatey has not implemented RefreshPackageIndexes
[07/04/2026 20:52:00] Downloaded new icons and screenshots successfully!
[07/04/2026 20:52:01] Found 8 installed packages from Pip
[07/04/2026 20:52:01] Cached icon for id=pip is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:01] Cached icon for id=requests is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:01] Cached icon for id=urllib3 is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:01] Found 0 installed packages from Chocolatey
[07/04/2026 20:52:01] Found 0 available updates from Chocolatey
[07/04/2026 20:52:02] Found 2 available updates from Winget
[07/04/2026 20:52:02] Cached icon for id=Postman.Postman is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Integrity check passed successfully!
[07/04/2026 20:52:02] Found 106 installed packages from Winget
[07/04/2026 20:52:02] Cached icon for id=7zip.7zip is valid and won't be downloaded again (SHA256)
[07/04/2026 20:52:02] Cached icon for id=Adobe.Acrobat.Reader.64-bit is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=angryziber.AngryIPScanner is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.AppInstaller is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Balena.Etcher is valid and won't be downloaded again (SHA256)
[07/04/2026 20:52:02] Cached icon for id=Anthropic.Claude is valid and won't be downloaded again (SHA256)
[07/04/2026 20:52:02] Cached icon for id=Git.Git is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.Office is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.Edge is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.MouseandKeyboardCenter is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.OneDrive is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.PowerBI is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.Teams is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.VCLibs.Desktop.14 is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.VCRedist.2015+.x64 is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.VCRedist.2015+.x86 is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.VisualStudioCode is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.UI.Xaml.2.8 is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Mozilla.Firefox.en-GB is valid and won't be downloaded again (SHA256)
[07/04/2026 20:52:02] Cached icon for id=mRemoteNG.mRemoteNG is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Oracle.MySQL is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Oracle.MySQLWorkbench is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=OpenJS.NodeJS.LTS is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=dotPDN.PaintDotNet is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.PowerShell is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=PuTTY.PuTTY is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Python.Python.3.14 is valid and won't be downloaded again (SHA256)
[07/04/2026 20:52:02] Cached icon for id=Python.Launcher is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=TeamViewer.TeamViewer is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=Microsoft.WindowsTerminal is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=RARLab.WinRAR is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:02] Cached icon for id=WinSCP.WinSCP is valid and won't be downloaded again (UriSource)
[07/04/2026 20:52:03] Found 0 installed packages from PowerShell7
[07/04/2026 20:52:03] Found 0 installed packages from PowerShell7
[07/04/2026 20:52:03] Found 0 available updates from PowerShell7
[07/04/2026 20:52:03] Found 0 available updates from Pip
[07/04/2026 20:52:04] Found 1 installed packages from PowerShell
[07/04/2026 20:52:04] Found 1 installed packages from PowerShell
[07/04/2026 20:52:04] Found 0 available updates from PowerShell
[07/04/2026 20:52:06] Found 0 installed packages from Npm
[07/04/2026 20:52:06] Found 0 available updates from Npm
[07/04/2026 20:52:06] Invalid value for UpdatesCheckInterval, using default value of 3600 seconds
[07/04/2026 20:52:06] Package Postman.Postman does not override options, will use package manager's default...

although this is after the issue as i had to remove the device from isolation.

Package Managers Logs

Manager WinGet with version:
System WinGet (CLI) Version: v1.28.220
Using Native WinGet helper (COM Api)

——————————————————————————————————————————


Logged native task on manager Winget. Task type is ListSources
Process start time: 07/04/2026 20:51:53
Process end time:   07/04/2026 20:51:53

-- Task information
 ...

The task reported success

——————————————————————————————————————————

Logged native task on manager Winget. Task type is ListInstalledPackages
Process start time: 07/04/2026 20:51:59
Process end time:   07/04/2026 20:52:02

-- Task information
 ...

The task reported success

——————————————————————————————————————————

Logged native task on manager Winget. Task type is OtherTask
Process start time: 07/04/2026 20:51:59
Process end time:   07/04/2026 20:52:01

-- Task information
 ...

The task reported success

——————————————————————————————————————————

Logged subprocess-based task on manager Winget. Task type is RefreshIndexes
Subprocess executable: "C:\Users\paul.duxbury\AppData\Local\Microsoft\WindowsApps\winget.exe"
Command-line arguments: " source update --disable-interactivity "
Process start time: 07/04/2026 20:51:59
Process end time:   07/04/2026 20:52:01

-- Process STDOUT
 ...

Return code: SUCCESS (0)

——————————————————————————————————————————

Logged native task on manager Winget. Task type is ListUpdates
Process start time: 07/04/2026 20:52:01
Process end time:   07/04/2026 20:52:02

-- Task information
 ...

The task reported success

——————————————————————————————————————————

Relevant information

No response

Screenshots and videos

No response

[sduquette-devolutions]

Hi Paul, we are also using Sophos and UniGetUI triggers this detection when either "Ask for administrator privileges once for each batch of operations" or "Ask only once for administrator privileges" is enabled. These options are found under "Administrator rights and other dangerous settings". Do you have one of these options enabled?

UniGetUI Elevator is a modified version of gsudo that adds process name validation, parent process whitelist, digital signature verification. We have not made changes to the applied patches but the executable is now signed with the Devolutions code signing certificate, that might explain why Sophos started detecting it. We suggest contacting the Sophos support as that will require a modification to the detection on their side.