Multiple PCs frozen right after update.

What USB monitoring setting are you talking about?  If under peripheral control, I have that disabled as is.  If there is something else I am missing, let me know and I will try it.

VMAN - Your response lacks information and is kind of confusing when you say "but the hitmanpro and AV settings are irrelevant".  Can you elaborate on what you are trying to say?  And what .sys file are you talking about and where is it located?

We have it set to monitor USB devices when they are connected in the policy.  Don't worry about it now, I'm crashing with PS2 connections, so it's not USB.  It seems to be something to do with the keyboard and/or mouse directly connected, regardless of connection type.  Though I could be wrong and there's something else weird that goes on that I didn't trigger when I did my no-peripheral-test through Teamviewer.   

I guess they are referring to SophosED.sys which is the file system filter driver which is part of the "Sophos Endpoint Defense" component.  It sounds like disabling this, by renaming it and rebooting prevents the issue (maybe also stop/disable the Sophos AutoUpdate Service) to prevent it being re-instated).  I guess they concluded that if this SED driver is related, the HMPA component is not related.  Not totally convinced by that as there is some cross communication. I guess, they are also suggesting, that by not changing the threat protection policy between disabling the SophosED.sys driver, this suggests that these are not related but much of the threat protection policy configures the SophosED.sys driver.  I think I would take from his comment that SophosED.sys could be related, so you could disable that.  Doing so does disable an awful lot of the product so it's hard to say what that means.

You're not alone, very frustrating that there are no real solutions yet.

Hi there,

we have a very similar problem with the sophos endpoint on Win10 HP Z400 workstations. We have a freeze about once a week.

We have also opened a support ticket and have already sent SDU data, but received no real help.
We are supposed to do a memory dump, which is not possible with a freeze. You don't get any helpful answers from Sophos to direct queries, only "Standard - have you already tried this or do the following .." Yes, we did, but it doesn't work :-(

Now we have also deactivated the real-time scanner on two computers - it seems to work. But that cannot be the solution.

Are there any other practical solutions here in the Community?
Thank you very much!

P.S. Sorry for the "bad" english via google translate.

Seems I'm not alone on the freeze issue. Mine occurs when I play music on ANY of my Optiplex PCs for around 3 hours and hard power cycle reboot required. I got the same canned response as Qoosh got. Nothing worked... Reading the issues around "peripherals" and think, whaaaaat are they doing in S/W development that USB and other peripherals cause problems???  My systems don't freeze if I play NO music. I have Task Manager and Resource Monitor up to look under the hood. All the freezes occurs when SophosFileScanner starts to run. Turning this scanner off In Settings/Central Policy stops the freeze, but this is NOT repeat NOT the way to fix Sophos S/W issues!! The problem started occurring after May 2021 when MS updates/Sophos did something to stuff up the works. I rolled my OS back to the March 2021 baseline, updated Sophos and no freezes.  I then did a MS Windows update, played music, FREEZE... Man do I hate having to fix other peoples' $#%@ S/W. So something that  MS has done in their *** Updates etc is the real issue. How will Sophos address this??? I have NO problem on my Dell laptops (older) nor on the newer Dell laptops  and desktop PCs.  Eeeeeenteresting problem, folks!

Vman, which file of type .sys are you referring to?  Sophos rep had me rename hmpalert.sys and savonaccess.sys. But the rename didn't solve the issue.

Disable Tamper Protection

Note: a Sophos update will add the file back and enable the service.

Sophos Endpoint Defense Isolation:
a) Access the following folder: C:\Windows\System32\drivers\
b) Rename SophosED.sys to SophosED.sys.orig
c) Reboot the device

System we have done this are stable.

Sophos Support is jsut capturing SDU's with no action.

we have submitted almost 10 SDU's and with verbose logging and still nothing from Sophos Support.

Whenever I did this, it just recreated the SophosED.sys and didn't solve anything.   I ended up going to the cloud management and made a policy with the file scanning turned off and just put the problem PCs in that group.