Multiple PCs frozen right after update.

Over the last couple weeks, since we received the Core Agent update to 2.19.8 on 10/4, we've had multiple older machines freeze completely.  Screen freezes, no keyboard or mouse, NIC unresponsive.  We have to do a hard shut down to bring them down and back up.  Not positive that this update is the culprit, but on the computers that have been freezing 2 to 3 times a day, we uninstalled Sophos and they've been behaving for a couple days now. 

Models affected:  HP xw4400, HP xw4600, Z400.  All have been running Win10 21H1 with last update back in September.  "Newer" computers (e.g. Z420, Z4 G4) have not had this problem.  Event logs show nothing out of the ordinary around the time of crash.  

Just curious if anybody else has run into this in the last week.    



[Update - Nov 23] The following KBA has been published regarding this issue - https://support.sophos.com/support/s/article/KB-000043418?language=en_US
[edited by: Qoosh at 8:41 PM (GMT -8) on 23 Nov 2021]
Parents Reply Children
  • The other option is to involve another computer and try setting up kernel debugging over the network as detailed here:

    Setting Up KDNET Network Kernel Debugging Manually - Windows drivers | Microsoft Docs

    Essentially you get the IP address of the "good" machine you're going to connect from with WinDbg. E.g. 192.168.1.5

    On the target computer to be debugged, the failing computer in this case, run the following in an admin prompt:

    bcdedit /debug on

    bcdedit /dbgsettings net hostip:192.168.1.5 port:50000

    This will print you a key you need to copy to the "good" computer.

    You can then launch Windbg on the "good" machine, choose Kernel Debugging and use the Key under the Net type.

    It will try and connect,  If you reboot the target, so the bcdedit commands take, when it comes back up you should be connected to it in WinDbg from the good computer.

    When the "target" computer has the issue, when connected, you can run ".crash" in Windbg to bugcheck the "bad" computer.  This should create a MEMORY.DMP dump under \windows\ on the bad computer.  Ensure it's set to create a complete or active dump.

    Maybe this could work?

  • I'm attempting this now on one of the more problematic computers.  I've had it running in debug for five days and it hasn't crashed yet, so a bit frustrating.  Thought maybe it could be a corrupted user profile, but this has happened to freshly imaged computers also.

  • Hi Sophos User5115

    Good day, have you successfully got the dump?

    I found our customer's affect computers (6 HP Compaq 8100 Elite CMT PC + 1 ASUSPC) all have Broadcom Netxtreme drivers b57nd60a, ebdrv, b06bdrv , where b57nd60a is same with yours, but all of them have no actual Broadcom Netxtreme Network card hardware on the computer, only drivers placed in the system by the manufacturer, you can not see them in the Device Manager but you can see them in the msinfo32.exe and C:\Windows\System32\drivers.

    They had tried to rename these driver''s extension from .sys to .old in C:\Windows\System32\drivers to unload them few days ago, but the freeze still occurred that time.