SophosNetFilter causing BSOD

Yoni26 2 months ago

Hello,

We have a client with 26 computers joined to a domain. Eight of the computers started to have a BSOD as soon as the user would login to their domain profile, or if started to browse the web. After looking at the dumps we noticed that the cause is SophosNetFilter.

Via Sophos central we turned off the web filter policy, as well as Real-Time Internet scanning. Once we disabled these settings, the computers stopped crashing and they have been working fine since. The version of the Sophos Endpoint on the computers is 2023.2.1.6.

The only change on the systems and network was the Windows update KB5034766 that was installed the night prior.

Added tags
[edited by: Gladys at 11:25 AM (GMT -8) on 5 Mar 2024]

Top Replies

Qoosh 2 months ago in reply to Qoosh +1 verified

The following advisory was recently published. Let me know if Teramind is also present on the affected device(s). - BSOD when Sophos and Teramind are running together - Netio.sys

Parents

0 Qoosh 2 months ago

Hi Yonatan,

Thanks for reaching out to the Sophos Community Forum.

I'd suggest gathering a full memory dump from an affected device, as well as an SDU log. Once you have these, please open a support case via the Sophos Support Portal or by reaching Sophos Support directly using the regional contact numbers on this page. I suspect our team will want to take a much closer look into your issue.

Could you try running the "fltmc" command on one of the affected devices to verify if any additional drivers are loaded into the operating system?

If you have any minidump files already gathered from the previous crashes, could you send one to me via private message?

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Reply

0 Qoosh 2 months ago

Hi Yonatan,

Thanks for reaching out to the Sophos Community Forum.

I'd suggest gathering a full memory dump from an affected device, as well as an SDU log. Once you have these, please open a support case via the Sophos Support Portal or by reaching Sophos Support directly using the regional contact numbers on this page. I suspect our team will want to take a much closer look into your issue.

Could you try running the "fltmc" command on one of the affected devices to verify if any additional drivers are loaded into the operating system?

If you have any minidump files already gathered from the previous crashes, could you send one to me via private message?

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel

Children

+1 Qoosh 2 months ago in reply to Qoosh

The following advisory was recently published. Let me know if Teramind is also present on the affected device(s).
- BSOD when Sophos and Teramind are running together - Netio.sys

Kushal Lakhan

Team Lead, Global Community Support
Connect with Sophos Support, get alerted, and be informed.
If a post solves your question, please use the "Verify Answer" button.

The New Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up +1 Vote Down

Sign in to reply

Reject Answer

Cancel
0 Yoni26 2 months ago in reply to Qoosh

Yes we are using Teramind! Thank you! I will get in touch with support and Teramind.
Cancel
Vote Up +1 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Wayne H 1 month ago in reply to Qoosh
Same issue here. BSOD when using MS Edge to browse certain web pages.

In the mix:

Sophos Home

Recent Windows updates (March 2024)

Windows 10 and Windows 11 (virtual machines)

ESXi7

I'm not using TeraMind; I have no idea what it is even.

Crash Dump highlights:

PROCESS_NAME: SophosNtpServi

FAILURE_BUCKET_ID: AV_vmxnet3!unknown_function

(Happy to provide one or many dump files if needed).

Before identifying Sophos being in the mix (or the victim of Windows updates) I tried:

1. Upgrading ESXi7 to the latest 7.0U3p.

2. Changing NICs on the guests from E1000e to VMXNET3 (I have since changed back).

3. Updating NIC drivers (was possible after updating ESXi).

4. Removing Windows updates (seemed to fix initially, but later I still hit a BSOD - and besides, I can't hold those things off forever, due to MS update policies). - I suspect the uninstall didn't remove everything.

So, for now, unfortunately, my work around is to remove Sophos Home. (I don't see any other short term option).

Regards,

Wayne.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel