Multiple PCs frozen tight after update.

Over the last couple weeks, since we received the Core Agent update to 2.19.8 on 10/4, we've had multiple older machines freeze completely.  Screen freezes, no keyboard or mouse, NIC unresponsive.  We have to do a hard shut down to bring them down and back up.  Not positive that this update is the culprit, but on the computers that have been freezing 2 to 3 times a day, we uninstalled Sophos and they've been behaving for a couple days now. 

Models affected:  HP xw4400, HP xw4600, Z400.  All have been running Win10 21H1 with last update back in September.  "Newer" computers (e.g. Z420, Z4 G4) have not had this problem.  Event logs show nothing out of the ordinary around the time of crash.  

Just curious if anybody else has run into this in the last week.    

  • Hello,

    Thank you for reaching out to the Sophos Community. 

    If you were looking to troubleshoot this issue a bit further, I'd recommend trying to perform some feature isolation to see if we can narrow down what components may be playing a part in things. 

    As it seems the issues take some time to emerge, you may want to interact with the drivers on the affected device(s). I recommend only doing one of the following components at a time and observing the device as the day goes on to see if this improves the results you’re getting.

    HMPA Isolation:
    a) Access the Services and stop then disable the following service:HitmanPro.Alert service
    b) Access the following folder: C:\Windows\System32\
    c) Rename hmpalert.dll to hmpalert.orig
    d) Access the following folder: C:\Windows\SysWOW64\
    e) Rename hmpalert.dll to hmpalert.orig
    f) Reboot the device

    SAV Isolation:
    a) Access the Services and stop then disable the following service: Sophos Anti-Virus 
    b) Reboot the device

    Sophos Endpoint Defense Isolation:
    a) Access the following folder: C:\Windows\System32\drivers\
    b) Rename SophosED.sys to SophosED.sys.orig
    c) Reboot the device

    Let me know what your findings are by updating this thread and we can advise further based on the results.

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • When in that state, does this work: - It would be good to know if you can force a complete/active memory dump? is another option to force a dump but the above newer power button method might be simpler and save messing about changing keys if you don't have a scroll-lock key.

    If you can set it the computer to create a Complete or ideally Active dump to reduce the size that would be of most interest to understand what has happened.