This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Multiple PCs frozen right after update.

Over the last couple weeks, since we received the Core Agent update to 2.19.8 on 10/4, we've had multiple older machines freeze completely.  Screen freezes, no keyboard or mouse, NIC unresponsive.  We have to do a hard shut down to bring them down and back up.  Not positive that this update is the culprit, but on the computers that have been freezing 2 to 3 times a day, we uninstalled Sophos and they've been behaving for a couple days now. 

Models affected:  HP xw4400, HP xw4600, Z400.  All have been running Win10 21H1 with last update back in September.  "Newer" computers (e.g. Z420, Z4 G4) have not had this problem.  Event logs show nothing out of the ordinary around the time of crash.  

Just curious if anybody else has run into this in the last week.    



This thread was automatically locked due to age.
Parents
  • We are having the same issue with HP 6000 Pro SFF with Intel Nics. About 48 computers with the issue since October.

  • We have narrowed it down.

    Disabling Endpoint Defense by renaming the .sys file corrects the lockup problem but the HitmanPro and A-V settings are irrelevant

  • Vman, which file of type .sys are you referring to?  Sophos rep had me rename hmpalert.sys and savonaccess.sys. But the rename didn't solve the issue.

  • Disable Tamper Protection

    Note: a Sophos update will add the file back and enable the service.

    Sophos Endpoint Defense Isolation:
    a) Access the following folder: C:\Windows\System32\drivers\
    b) Rename SophosED.sys to SophosED.sys.orig
    c) Reboot the device

    System we have done this are stable.

    Sophos Support is jsut capturing SDU's with no action.

    we have submitted almost 10 SDU's and with verbose logging and still nothing from Sophos Support.

  • Whenever I did this, it just recreated the SophosED.sys and didn't solve anything.   I ended up going to the cloud management and made a policy with the file scanning turned off and just put the problem PCs in that group.  

  • Just to confirm? 

    Cloud portal - > Endpoint Protection - Policies -> Threat Protection -> new policy with computer - turn off

    "Real-time Scanning - Local Files and Network Shares"


     

  • Interesting, I'm running Intercept X with Endpoint advanced. I renamed SophosED.sys to SophosED.orig not SophosED.sys.orig and rebooted. The file did not reappear to the sys state but I did get the error messages, Sophos IPS and Sophos System Protection Services stopped.  I'm running the music tests for 3 + hours now to see if that "fixes" the issue of freezing. That is NOT a solution to Sophos S/W design!!!  Actually, it's really a Microsoft issue, as I commented on in an earlier (10:41 PST) post (below). Since the March 2021 Windows updates, things have gone FUBAR with Sophos. By NOT updating to the latest Win updates after March 2021 or May 2021, I have no problem playing music for 12 hours continuously and running Sophos. So MS stuffed something up really good. One MS MVP consultant stated, with the older PCs and MS updates continuing, it's only going to get worse!"  When I run stuff on my new Vostro 5510 laptop and Optiplex 5090 MT running Windows 10 Pro and have NO problem. Maybe something with the drivers that Dell NO LONGER supports on these older PCs! 

  • I didn't turn off any of my Protection Override policies in the local settings. The box is still unchecked.  In the Central Control for two PCs I allowed for settings to be changed locally in them for testing. The Real-Time-Scanning is still active. MS has done something different in the newer drivers and Dell does NOT support the older systems with later driver updates. Question is, which driver(s) cause the problem?  I've gotten NOOOOO helpful response from  from MS, (DOH)!  It's basically a 0 ROI  on MS and Dell to get you to buy newer PCs and OS updates! Common business practice. Guess you could pay MS or a consultant to write us a driver update, but would that address later MS Win 10 updates???  So I started testing/working with the new laptops and MT desktop PCs. 

Reply
  • I didn't turn off any of my Protection Override policies in the local settings. The box is still unchecked.  In the Central Control for two PCs I allowed for settings to be changed locally in them for testing. The Real-Time-Scanning is still active. MS has done something different in the newer drivers and Dell does NOT support the older systems with later driver updates. Question is, which driver(s) cause the problem?  I've gotten NOOOOO helpful response from  from MS, (DOH)!  It's basically a 0 ROI  on MS and Dell to get you to buy newer PCs and OS updates! Common business practice. Guess you could pay MS or a consultant to write us a driver update, but would that address later MS Win 10 updates???  So I started testing/working with the new laptops and MT desktop PCs. 

Children
  • I really don't think it is related to MS updates in this case.  I have machines on 1903 still that hadn't updated since Feb. and they were doing it since the early October Sophos update.

  • October 2021, namely when the Sophos core updated to 2.19.8.   Had about 10 of them crash all the same day after that update and never had this issue with any PC before then.  

  • Tim, we (Sophos) probably have multiple issues, but I will put a 3/12/21 Windows HDD baseline in the one test PC and update Sophos to 2.19.8 core and see what happens. Laptop has 2.20.4.1 core and  running music, coming up on the 3 hr cliff mark.  Ran for 5 hours no problem. Drivers on laptops must be better??? Surely someone in Sophos development must have the insight into this! I reflect back on the movie, Space Cowboys... maybe they still need us old farts to solve the problems again. Miss those days, best mission was Apollo 13!  Duct tape and a determination to git er dun!!  I recall being in a situation back in '86 with a microprocessor system trying to capture why it was cratering. Simple communication collision. But the process to find it? Priceless.