Sophos DynamicShellcode Detection on Windows
Sophos exploit mitigation can block IronPDF at startup in .NET Framework applications, even when the binaries are official, signed, and unmodified. The trigger is how the native DLL is loaded from CLR-managed memory.
Sophos DynamicShellcode / HeapHeapHooray
Sophos DynamicShellcode / HeapHeapHooray relies on behavioral exploit-mitigation heuristics. In a .NET Framework process, the LoadLibrary call for IronInterop.dll originates from anonymous, JIT-compiled CLR memory rather than a file-backed origin. Sophos reads that pattern as shellcode behavior and blocks the process before it can start.
This affects IronPDF 2026.3.1 on Windows 10 x64 under .NET Framework.
Solution
Option 1: Add a narrow Sophos exclusion
Create the tightest exclusion Sophos offers for this detection. A certificate-based allow rule for Iron Software signed binaries is preferred; failing that, exclude the specific Sophos detection ID confirmed by Sophos Support.
Recommended: keep the exclusion scope narrow. Do not disable DynamicShellcode protection across the whole application unless Sophos provides no narrower option and the security team signs off.
Option 2: Run through IronPdfEngine in gRPC remote mode
When endpoint exclusions are not acceptable, route PDF processing to IronPdfEngine in gRPC remote mode. The native DLL then loads inside a separate engine process instead of the .NET Framework client, which sidesteps the detection entirely.

