Multiple PCs frozen right after update.

Over the last couple weeks, since we received the Core Agent update to 2.19.8 on 10/4, we've had multiple older machines freeze completely.  Screen freezes, no keyboard or mouse, NIC unresponsive.  We have to do a hard shut down to bring them down and back up.  Not positive that this update is the culprit, but on the computers that have been freezing 2 to 3 times a day, we uninstalled Sophos and they've been behaving for a couple days now. 

Models affected:  HP xw4400, HP xw4600, Z400.  All have been running Win10 21H1 with last update back in September.  "Newer" computers (e.g. Z420, Z4 G4) have not had this problem.  Event logs show nothing out of the ordinary around the time of crash.  

Just curious if anybody else has run into this in the last week.    



[Update - Nov 23] The following KBA has been published regarding this issue - https://support.sophos.com/support/s/article/KB-000043418?language=en_US
[edited by: Qoosh at 8:41 PM (GMT -8) on 23 Nov 2021]
  • Hi Sophos User5115, may I ask your Broadcom NetXtreme driver names ? you can check it on msinfo32.exe > Software Environment > System Drivers > sort by "Description" and check the name of all the Broadcom NetXtreme components, thank you.

  • All three affected HP models (xw4400, xw4600, Z400) are using the Broadcom NetXtreme driver b57nd60a.  Oddly we have around 70 of these models and only 20 have been affected that have been reported to me. 

  • The other option is to involve another computer and try setting up kernel debugging over the network as detailed here:

    Setting Up KDNET Network Kernel Debugging Manually - Windows drivers | Microsoft Docs

    Essentially you get the IP address of the "good" machine you're going to connect from with WinDbg. E.g. 192.168.1.5

    On the target computer to be debugged, the failing computer in this case, run the following in an admin prompt:

    bcdedit /debug on

    bcdedit /dbgsettings net hostip:192.168.1.5 port:50000

    This will print you a key you need to copy to the "good" computer.

    You can then launch Windbg on the "good" machine, choose Kernel Debugging and use the Key under the Net type.

    It will try and connect,  If you reboot the target, so the bcdedit commands take, when it comes back up you should be connected to it in WinDbg from the good computer.

    When the "target" computer has the issue, when connected, you can run ".crash" in Windbg to bugcheck the "bad" computer.  This should create a MEMORY.DMP dump under \windows\ on the bad computer.  Ensure it's set to create a complete or active dump.

    Maybe this could work?

  • I'm attempting this now on one of the more problematic computers.  I've had it running in debug for five days and it hasn't crashed yet, so a bit frustrating.  Thought maybe it could be a corrupted user profile, but this has happened to freshly imaged computers also.

  • Hi Sophos User5115

    Good day, have you successfully got the dump?

    I found our customer's affect computers (6 HP Compaq 8100 Elite CMT PC + 1 ASUSPC) all have Broadcom Netxtreme drivers b57nd60a, ebdrv, b06bdrv , where b57nd60a is same with yours, but all of them have no actual Broadcom Netxtreme Network card hardware on the computer, only drivers placed in the system by the manufacturer, you can not see them in the Device Manager but you can see them in the msinfo32.exe and C:\Windows\System32\drivers.

    They had tried to rename these driver''s extension from .sys to .old in C:\Windows\System32\drivers to unload them few days ago, but the freeze still occurred that time.

  • Hi Sophos User5115

    are you still facing the issue?

    Thanks.

  • Yes, and I've been working with Sophos in disabling components again.   So far, within the client application, I've disabled tamper protection and have been turning off the File toggle every four hours.  It's been a few days and haven't had a crash since.   On Monday, I'll leave the toggle on and see if I can get it to crash.  Sophos has been insisting on a dump, but even with making the page file twice the amount of RAM and double checking all the dump settings, I haven't been able to capture anything.  I think it's because it freezes so completely that there's no chance for it to write anything before it needs to be rebooted.  

    As for the network drivers, it looks like our machines actually use them for their NIC, but it's interesting that they are a common factor in the crashing computers.  Those I've checked that aren't crashing don't have that driver installed.   

  • Hi Sophos User5115

    Thank you very much for your reply.

    I would be very grateful if you could share the update with me.

  • One of our clients is doing the same thing. They are all older PC's Precision WorkStation T3500. As said I cannot pull crash dumps as it is hard freeze with nothing except a power pull or power button hold down to get the unit to shut off. These PC's all use the following network card: Broadcom NetXtreme 57xx Gigabit Controller

  • Interesting.  I'm going to uninstall the driver and plug a USB-Ethernet adapter in and see if I come up with anything.