This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 7 OS Updates blocked since October

Hi all.

We have some legacy Windows 7 machines, all with valid ESU licenses from Microsoft.

These machines have been getting and installing updates via our WSUS servers for months without issue.

Recently, we've noticed that they fail to apply OS updates, although updates to other apps (e.g. Office) install without issue.

These installations fail after the 'restarting to apply update' phase.

Uninstalling the Endpoint product allows these updates to be installed without issue.

Anyone else seen anything similar?

Thanks in advance,

Mark



This thread was automatically locked due to age.
Parents
  • Hi ,

    Apart from uninstalling the endpoint, have you tried any other troubleshooting around this? I'd recommend you try isolating the component by following this KBA and see if switching off one of the components resolves the issue. - https://support.sophos.com/support/s/article/KB-000036572?language=en_US

    Thanks,
    Yashraj Singha
    Manager | Global Community Support
    Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • In short to my below, i have tried all of these steps regardless of whether the settigs do stay off during restart (as they all appear re-enabled upon the reboot into windows) but no resolve, turning them off one at a time and trying or all off togehter..updates still fail and revert the configuration upon update restart request. Removing Sophos Central currently appears the only way to get these updates installed. 

    Please if you have further suggestions feel free to provide.. I have since also tried the below without result;

    Step 1

    1. Access the following folder: C:\Windows\System32\drivers\
    2. Rename hmpalert.sys to hmpalert.orig
    3. Reboot the computer.
    4. Test the issue and share the result
    5. Revert the changes

    Step 2-

    1. Access the following folder: C:\Windows\System32\drivers\
    2. Rename savonaccess.sys to savonaccess.orig
    3. Reboot the computer.
    4. Test the issue and share the result
    5. Revert the changes

    Step 3-

    1. Disable Tamper Protection in Sophos Endpoint
    2. Navigate to C:\Windows\System32\Drivers
    3. Locate the file 'sntp.sys'
    4. Rename the file to sntp.sys.OLD
    5. Reboot the server to unload the filter driver
    6. Retest
    7. Remove .old from sntp.sys.old

    All W7 machines are effected that have Sophos Central installe,d but gaain this appears to have changed only recently (about a week or two ago), as before they were all updating without issue...has a recent Sophos Central agent update gone out that caused an issue (although id expect other customers to maybe also be finding this issue otherwise?) our agent details the below version numbers;

    Core Agent 2.20.4.1

    Endpoint Advanced 10.8.11.3

    Sophos Intercept X 2.0.22

    We have also tried to put one of these devices into the early access BETA group, but this didnt appear to resolve the issue either. (but the only product that appeared to be altered from the above when we added this to the BETA early access was the interept X which went to 2.0.23.

    Thanks

    Damien

  • Hi Kushal...many thanks for your message and DM..i have replied to this with our case number as you requested.

    I was able to perform an upload (in the end) for the Process Monitor boot log that the case rep had requested with yet another SDU straight afterwards..and sent these yesterday..so i hope to have some more information from sophos after they look at these..although im not sure how useful they are...as you say i think this is a very strange case, and im surprised its just ourselves having this issue and not a wider scale for all W7 users using Sophos Central (although im sure this number is reducing by the day with the move to W10 etc..but im sure a lot of companies still have a subset of legacy W7 machines). 

    As mentioned before, we have been fine up until start of November (dont have an exact date as to when we started seeing this but recent 2-3 weeks), updates applying as usual..so ive started to wonder if the Sophos Central agent itself has had some updates recently that maybe have caused this interference between the OS w7 specific updates applying (but again id expect other people to be getting the same issue)..very strange indeed, but starting to get critical now as more and more users are getting the w7 updates prompt repeating as the updates fail and obviously not being secure as now falling out of date with the updates..your help is much appreciated.

  • Hi Kushal

    Also i have no idea if this is relevant, but after setting this test device to No Protection from your earlier message, the device of course still shows in the About Tamper Protection disabled, but Malicious Behaviour Detection enabled...whilst waiting for further support, i thought id also just try to turn this off in the Central admin policy that this device is assigned to under Runtime Protection..and updated the devices sophos central agent via about - update but Malicious Behaviour detection still remains enabled in the settings..only this and tamper are listed left..bu this still shows as enabled when it should be disabled based on the policy de-selections made?

  • Hi Kushal, still no progress from Sophos via the ticket yet..ive been pushed up to second line it appears, but the enigneer has so far detailed he loaded up a W7 VM with sophos and can update without issue (i assume hes doing it via Check for updates)..we have tried instlaling updates manually from windows upate altagloue ourselves as a test, as all our devices get upates from WSUS (which he did just ask us) so im not sure if this makes any difference..but i did suspect if he ran a VM himself that he wouldnt get any issues, as otherwise id expect to see more of these issues globally world wide if others were having the problems...this is why i beleive for what ever reason its related to aixtron and our machines and sopohs..either due to a odd sophos policy or setting we might have in place, or some GPO on our W7 devices oddly..so i kind of hope they can see something from the logs i have generated and provided to them..any kick you can provide them, or additional test, please let me know,

    THanks

    Damien

  • I have followed up with you via DM to keep you updated on the progress.

    I was also able to look into the logs you provided to advise some further troubleshooting steps. 

    Let me know if you can report back your findings either to the support case or via DM so that I may update the case internally. 

    Thank you,

    Kushal Lakhan
    Team Lead, Global Community Support
    Connect with Sophos Support, get alerted, and be informed.
    If a post solves your question, please use the "Verify Answer" button.
    The New Home of Sophos Support Videos!  Visit Sophos Techvids
  • Hi Kushal, many thanks for your reply, i will look at your DM now, and report back. thanks

  • For anyone wanting an update on this issue...there is still no update..Level 3 support have supposedly passed this onto development..but other than being asked to run a few more tests on a w7 machine, nothing really has moved on this...i had removd sophos agent from one device which of course then allowed the machine to apply its updates, i then provided a log on this so they could compare a 'failed' log when sophos was installed and one when it wasnt, i then reinstalled sophos which caused further updates to still fail again as expected..but disabling all the sophos services on this device then allowed the updates to install..leading us to beleive it was a services issue with one or more of the sophos services..however on trying to do the same on another machine (that hadnt had sohpos uninstalled and reinstalled however) this hasnt produced the same result with the services disabled...very odd..awaiting further responce from Sophos!

  • We have also been experiencing this issue for Server 2008 r2 ESU patches. Started around the beginning of November. Patches install fine when Sophos Endpoint Agent is uninstalled. As soon as it is installed, patches get uninstalled/fail on the reboot phase.

  • We are having the same issue with Windows 7 devices: Microsoft Updates will install only if Sophos is uninstalled first. We raised a call with Microsoft, who confirmed that Sophos is locking the files. Sophos has referred us to the link below, which is very unhelpful. 

    Advisory: Windows 7 and 2008 R2 Nov/Dec 2021 updates may fail to install (sophos.com) 

    The link above mentioned files ntdll.dll and cryptnet.dll, which are included in the Windows 7 December update (KB5008244). (ntdll.dll 6.1.7601.25792 10-Nov-21 20:19
    cryptnet.dll 6.1.7601.25757 11-Oct-21 20:31)

    Microsoft have advised that Sophos should raise a call with them to resolve the issue.

    I too am awaiting a response from Sophos.

  • Yup and this is still an issue for us as the original poster...the sophos article also doesnt help, at least the workaround as turning off tamper and disabling the services doesnt work on all devicves for some reason..so the best and confirmed only way is to remove sophos do the upddates and reinstall sophos..but this isnt a great option espeially when we have many W7 devices for special reasons and there is no policy method to turn tamper offf in central anymore for bulk amount of devices..its eitehr the entire thing, or manually on individual devices...ilm still awating sophhos to get back to me..

Reply
  • Yup and this is still an issue for us as the original poster...the sophos article also doesnt help, at least the workaround as turning off tamper and disabling the services doesnt work on all devicves for some reason..so the best and confirmed only way is to remove sophos do the upddates and reinstall sophos..but this isnt a great option espeially when we have many W7 devices for special reasons and there is no policy method to turn tamper offf in central anymore for bulk amount of devices..its eitehr the entire thing, or manually on individual devices...ilm still awating sophhos to get back to me..

Children
No Data