Windows 7 OS Updates blocked since October

Hi all.

We have some legacy Windows 7 machines, all with valid ESU licenses from Microsoft.

These machines have been getting and installing updates via our WSUS servers for months without issue.

Recently, we've noticed that they fail to apply OS updates, although updates to other apps (e.g. Office) install without issue.

These installations fail after the 'restarting to apply update' phase.

Uninstalling the Endpoint product allows these updates to be installed without issue.

Anyone else seen anything similar?

Thanks in advance,

Mark

  • Hi ,

    Apart from uninstalling the endpoint, have you tried any other troubleshooting around this? I'd recommend you try isolating the component by following this KBA and see if switching off one of the components resolves the issue. - https://support.sophos.com/support/s/article/KB-000036572?language=en_US

    Yashraj Singha
    Team Lead | Global Support Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Yashraj...thanks for your reply..I work closely with Mark, and we have already tried this, infact we turned off all features but as the issue is at point of restart when it applies the configuration of the updates, sophos obviously resets itself back to normal after a restart. We have tried all the below also already;

    HMPA Isolation:
    a) Access the Services and stop then disable the following service:HitmanPro.Alert service
    b) Access the following folder: C:\Windows\System32\
    c) Rename hmpalert.dll to hmpalert.orig
    d) Access the following folder: C:\Windows\SysWOW64\
    e) Rename hmpalert.dll to hmpalert.orig
    f) Reboot the device

    SAV Isolation:
    a) Access the Services and stop then disable the following service: Sophos Anti-Virus
    b) Reboot the device

    Sophos Endpoint Defense Isolation:
    a) Access the following folder: C:\Windows\System32\drivers\
    b) Rename SophosED.sys to SophosED.sys.orig
    c) Reboot the device

    Nothing has helped as yet..apart from simply removing the Sophos Central client itself from the system. 

    however on the above, we have not been able to set this machien in the centrla console to always have tamper off..so technically i now should be able to go throguh and turn all the features off and these remain off..so i will try this again now assuming these features stay off upon reboot to see if this then works...i do then have other devices i can then turn the features off one at a time on so as you say narrow down the potentual component causing this...will feedback soon thanks

  • Ok scratch that, the settings like turning off real time scanning  appear to reapply themselves on the device after the restart so again, this may not prove a useful test as they dont appear to remain disabled so i can only assume upon the restart in the backgroud they reapply themsvels which doesnt help determine during the configuration of the updates if this featurre was indeed off and the cause of the issue or not...

  • In short to my below, i have tried all of these steps regardless of whether the settigs do stay off during restart (as they all appear re-enabled upon the reboot into windows) but no resolve, turning them off one at a time and trying or all off togehter..updates still fail and revert the configuration upon update restart request. Removing Sophos Central currently appears the only way to get these updates installed. 

    Please if you have further suggestions feel free to provide.. I have since also tried the below without result;

    Step 1

    1. Access the following folder: C:\Windows\System32\drivers\
    2. Rename hmpalert.sys to hmpalert.orig
    3. Reboot the computer.
    4. Test the issue and share the result
    5. Revert the changes

    Step 2-

    1. Access the following folder: C:\Windows\System32\drivers\
    2. Rename savonaccess.sys to savonaccess.orig
    3. Reboot the computer.
    4. Test the issue and share the result
    5. Revert the changes

    Step 3-

    1. Disable Tamper Protection in Sophos Endpoint
    2. Navigate to C:\Windows\System32\Drivers
    3. Locate the file 'sntp.sys'
    4. Rename the file to sntp.sys.OLD
    5. Reboot the server to unload the filter driver
    6. Retest
    7. Remove .old from sntp.sys.old

    All W7 machines are effected that have Sophos Central installe,d but gaain this appears to have changed only recently (about a week or two ago), as before they were all updating without issue...has a recent Sophos Central agent update gone out that caused an issue (although id expect other customers to maybe also be finding this issue otherwise?) our agent details the below version numbers;

    Core Agent 2.20.4.1

    Endpoint Advanced 10.8.11.3

    Sophos Intercept X 2.0.22

    We have also tried to put one of these devices into the early access BETA group, but this didnt appear to resolve the issue either. (but the only product that appeared to be altered from the above when we added this to the BETA early access was the interept X which went to 2.0.23.

    Thanks

    Damien

  • To narrow down the issue a bit further, is it possible for you to try the following steps? 

    - From Sophos Central go to the "Devices" page and select the check-box next to a test device
    - Use the "Manage Endpoint Software" button to specify to remove all protection components

    Once this is completed, the device in question will only have the "Core Agent" deployed. 

    If possible, I recommend testing if the Windows update proceeds in this state.
    If you suspect the issue is specifically with Intercept X however, we can re-deploy one of the scanning engines by using the following command with an installer package. 

    - SophosSetup.exe --products=antivirus

    If the Windows Update succeeds in this state, it would lead us to believe it is in fact Intercept X which may be causing issues.
    You may even want to start by deploying the "Sophos Exploit Prevention cumulative hotfix" package to find out if this will help. 

    Let me know what your findings are.

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Kushal, many thanks for your messgae, i wasnt aware of this 'Manage Endpoint software' option in the console..seems a good way to remove all protection to help narrow down. I have therefore run this and to my surprise even with just the Core Agent on only as you stated when looking at the about details on the agent...and restarting..the updates still do not apply and revert and fail.

    On this basis, can i assume this potentually narrows down the idea that its therefore not anything like intercept x causing this, and only the core agent was set and the device  was st to No Protection..and therefore your above two additional points regarding the intercept x redeployent (which i didnt fully underdtand) and the hotfix are therefore irrelevant and no point in testing as it appears to be something in the core agent causing an issue...

    Please let me know what else you suggest..i have also run a SDU (and sent this to support, including a process monitor log they requested of me (although not sent that yet as awaiting a ftp link as to large to email)...

    Thanks, await your further assistance..

    Damien

  • Hi Damien,

    I've reached out via DM to request details on the support case you have opened. I would like to add some additional notes to progress things further. 

    The core agent consists of only a few components, of which I would assume the 'Endpoint Defense' component would be the most likely to interfere with an OS update. Considering the initial troubleshooting you performed isolated the Endpoint Defense driver already, I'm slowly running out of ideas.

    I'll try testing this out in a VM to find out more and let you know if I find anything useful.

    Cheers,

    Kushal Lakhan
    Global Community Support Engineer
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Kushal...many thanks for your message and DM..i have replied to this with our case number as you requested.

    I was able to perform an upload (in the end) for the Process Monitor boot log that the case rep had requested with yet another SDU straight afterwards..and sent these yesterday..so i hope to have some more information from sophos after they look at these..although im not sure how useful they are...as you say i think this is a very strange case, and im surprised its just ourselves having this issue and not a wider scale for all W7 users using Sophos Central (although im sure this number is reducing by the day with the move to W10 etc..but im sure a lot of companies still have a subset of legacy W7 machines). 

    As mentioned before, we have been fine up until start of November (dont have an exact date as to when we started seeing this but recent 2-3 weeks), updates applying as usual..so ive started to wonder if the Sophos Central agent itself has had some updates recently that maybe have caused this interference between the OS w7 specific updates applying (but again id expect other people to be getting the same issue)..very strange indeed, but starting to get critical now as more and more users are getting the w7 updates prompt repeating as the updates fail and obviously not being secure as now falling out of date with the updates..your help is much appreciated.

  • Hi Kushal

    Also i have no idea if this is relevant, but after setting this test device to No Protection from your earlier message, the device of course still shows in the About Tamper Protection disabled, but Malicious Behaviour Detection enabled...whilst waiting for further support, i thought id also just try to turn this off in the Central admin policy that this device is assigned to under Runtime Protection..and updated the devices sophos central agent via about - update but Malicious Behaviour detection still remains enabled in the settings..only this and tamper are listed left..bu this still shows as enabled when it should be disabled based on the policy de-selections made?