Thread Info
  • Locked Locked
  • Replies 25 replies
  • Subscribers 15 subscribers
  • Views 98533 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central - BSOD - Breaks RDP on Windows 7 32 bit machines

Nick Cuddemi

Hello!

 

Recently Sophos Central started with all of our computers that run Windows 7 32 bit, having a BSOD on log off. As soon as a user logs off, it blue screens.

Also, when a user tries to log in via Citrix, they get "An internal error occured" Then the computer blue screens again.

 

These users have had Sophos Central installed for months, while using Citrix on days they are not in the building, without issues.

Recently I noticed Sophos Central Agent got updated, and that's when our issues started arising. This could be unrelated, but I am looking at this and it's the only thing that has changed.

 

After speaking with Sophos Support, I was told to disabled tamper protection globally, which I have, and the issues remain.

 

I have uninstalled Sophos Central from the troubled computers and they no longer have issues with Citrix or myself RDP'ing to these machines.

 

Wanted to give a PSA in case anyone else is having RDP/Citrix issues or random blue screens of death.

 

 



This thread was automatically locked due to age.

  • In addition to this, we also have received a different blue screen of death on a 64 bit machine running Windows 7. 

    It stated "SophosED.sys" and had a different error code then the rest. 

    They are looking into this, but the advice was to also disable tamper protection globally.

  • in reply to Nick Cuddemi

    Have you captured a dump file to analyze?  Even a mini-dump would be helpful.

    Anything under:
    \windows\minidump\

    Regards,

    Jak

  • in reply to jak

    Yes, though they aren't attaching..

  • in reply to Nick Cuddemi

    Can you zip it and then drag it onto the editor?

    Regards,

    Jak

  • Hi Nick

     

    We are having exactly the same issue!!

     

    I have had a call outstanding with Support since 2nd Feb and still no resolution.

     

    We have found the filescanner.exe causes the issue, if I temporarily disable we can RDP and no errors on logoff, I have supplied this information and all relevant logs but still no update from support!!

     

    I wonder how many other companies have this issue and are not actually aware yet!?

     

    Amanda

     

     

  • in reply to jak

    3060.030518-12667-01.zip

     

    Attached is a dmp file from attempting to RDP this morning.

  • in reply to WilsonsIT

    WilsonsIT said:

    Hi Nick

     

    We are having exactly the same issue!!

     

    I have had a call outstanding with Support since 2nd Feb and still no resolution.

     

    We have found the filescanner.exe causes the issue, if I temporarily disable we can RDP and no errors on logoff, I have supplied this information and all relevant logs but still no update from support!!

     

    I wonder how many other companies have this issue and are not actually aware yet!?

     

    Amanda

     

     

     

     

    Hm, I attempted your solution by disabling the file scanner service and successfully connected through RDP to the affected computer.

  • in reply to Nick Cuddemi

    Hmm indeed!  Why does it take the customer to find what is causing the issue?!?

    I have given support all these details yet still no response, looks like I will have to tweet my complaint as that is the only time anyone ever responds!

    Grrr.....come on Support, sort it out!

  • in reply to WilsonsIT

    Given that dump, if I had to guess and given that it's a 32-bit computer, I'd say that a thread is probably running out of the 12K of stack space you can have on 32-bit Windows.  Any 64-bit computers seeing the issue?  I suspect not given they get twice as much.

    Looking at drivers without sysmbols, i.e. not Microsoft ones:


    0: kd> lme
    start end module name
    833d1000 833fc000 SboxDrv T (no symbols)
    8be25000 8be2e000 amdxata T (no symbols)
    8c278000 8c2df000 SophosED T (no symbols)
    8c66a000 8c672000 spldr T (no symbols)
    8c774000 8c7a1000 savonaccess T (no symbols)
    8c7af000 8c7c7000 NHOSTNT1 T (no symbols)
    92119000 92132000 sntp T (no symbols)
    92132000 9213e000 skmscan T (no symbols)
    92195000 921d0000 hmpalert T (no symbols)
    92e46000 92e50080 HECI T (no symbols)
    92ecb000 92f2d000 Rt86win7 T (no symbols)
    92f37000 92f3d400 sdcfilter T (no symbols)
    92f66000 92f6cb00 staccel T (no symbols)
    92f6d000 92f6e100 BmcMirror_4_0_mini T (no symbols)
    93426000 9371e000 igdkmd32 T (no symbols)
    937fa000 937fc480 dwvscd T (no symbols)
    93948000 93961000 drmk T (no symbols)
    93961000 939be000 IntcDAud T (no symbols)
    9de20000 9e07e000 win32k T (no symbols)
    9e090000 9e099000 TSDDD T (no symbols)
    9e0c0000 9e0de000 cdd T (no symbols)
    9e120000 9e15a000 RDPDD T (no symbols)
    b7f54000 b7f69000 EpsCe T (no symbols)
    b7f69000 b7f70000 npf T (no symbols)
    ba400000 ba408000 InvProtectDrvNet T (no symbols)
    ba408000 ba40e000 gfiapdrv T (no symbols)
    ba40e000 ba417e80 diskcrypt T (no symbols)
    ba437000 ba4cf000 peauth T (no symbols)
    ba5a0000 ba5afb80 esecdrv60 T (no symbols)
    ba5ef000 ba600000 InvProtectDrv T (no symbols)
    c3c2b000 c3c95000 spsys T (no symbols)


    sophosed.sys
    savonaccess.sys
    hmpalert.sys
    are all file system mini-filters and I also see Invincea drivers also.

    What does the output of: fltmc.exe show out of interest?  With only a mini-dump commands such as !fltkd.filters to list filters doesn't work.

    Do you get the issue if for example you disable the sophosed.sys driver?  E.g. disable tamper protection, rename \windows\system32\drivers\sophosed.sys to sophosed.sys.rename and reboot such that it's not loaded at startup.

    It might be worth checking that the version of sophosed.sys built on the 8th Jan is the latest.  Although it seems recent, mine is from the 14th Feb.

    0: kd> lmDvmSophosED
    Browse full module list
    start end module name
    8c278000 8c2df000 SophosED T (no symbols)
    Loaded symbol image file: SophosED.sys
    Image path: \SystemRoot\system32\DRIVERS\SophosED.sys
    Image name: SophosED.sys
    Browse all global symbols functions data
    Timestamp: Mon Jan 8 20:09:09 2018 (5A53CFE5)
    CheckSum: 00072D8B
    ImageSize: 00067000
    Translations: 0000.04b0 0000.04e4 0409.04b0 0409.04e


    Regards,
    Jak



  • in reply to WilsonsIT

    Hi Nick

    Support finally came back to us and the latest Core update (2.0.2) seems to have resolved for us on a couple of PC's that I have tested.

    Hopefully that will resolve for you to?

    Amanda

Unfiltered HTML