This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 BSOD

Hi, 

Signed up for a trial of Sophos Endpoint Cloud and installed onto my home Windows 10 Pro PC. After the first reboot, it would always BSOD just before it would show the login screen. The only way to stop this happening was disable the Hitman Pro service. The BSOD would show memory management as the error. 

My PC comes up clean with other AV scans. Some other employees have installed it without problems and i'm going to try on my laptop later. 

Wanted to flag this in case anyone else came across the problem. I haven't found out the reason for it but i haven't had a chance to look at the memory dump yet. 

 



This thread was automatically locked due to age.
Parents
  • HI 

    Could you post your logs from HitMan Pro , Path of the logs is C:\ProgramData\HitmanPro.Alert\Logs , If you do not wish to post any sensitive information you may private message me with the link to this forum . 

    Thanks and Regards

    Aditya Patel | Network and Security engineer.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Aditya, 

     

    Log contents below. The last entry is just before the BSOD. 

     

    2016-10-30T11:51:03.717Z [Service] Startup (build 563)
    2016-10-30T11:51:03.758Z [NewApplication] Browsers, $programfiles\Mozilla Firefox\firefox.exe (C:\Program Files (x86)\Mozilla Firefox\firefox.exe)
    2016-10-30T11:51:03.814Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115103806-1.xml
    2016-10-30T11:51:03.818Z [NewApplication] Plugins, $programfiles\Mozilla Firefox\plugin-container.exe (C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe)
    2016-10-30T11:51:03.862Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115103855-2.xml
    2016-10-30T11:51:03.869Z [NewApplication] Browsers, $programfiles\Google\Chrome\Application\chrome.exe (C:\Program Files (x86)\Google\Chrome\Application\chrome.exe)
    2016-10-30T11:51:03.903Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115103896-3.xml
    2016-10-30T11:51:03.910Z [NewApplication] Browsers, $programfiles\Internet Explorer\iexplore.exe (C:\Program Files\Internet Explorer\iexplore.exe)
    2016-10-30T11:51:04.014Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104004-4.xml
    2016-10-30T11:51:04.022Z [NewApplication] Browsers, $programfiles\Internet Explorer\iexplore.exe (C:\Program Files (x86)\Internet Explorer\iexplore.exe)
    2016-10-30T11:51:04.094Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104088-5.xml
    2016-10-30T11:51:04.100Z [NewApplication] Browsers, $windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe (C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe)
    2016-10-30T11:51:04.339Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104333-6.xml
    2016-10-30T11:51:04.346Z [NewApplication] Browsers, $windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe)
    2016-10-30T11:51:04.374Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104366-7.xml
    2016-10-30T11:51:04.381Z [NewApplication] Office, $programfiles\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe (C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe)
    2016-10-30T11:51:04.488Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104482-8.xml
    2016-10-30T11:51:04.495Z [NewApplication] Office, $programfiles\Microsoft Office\Root\Office16\WINWORD.EXE (C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE)
    2016-10-30T11:51:04.557Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104551-9.xml
    2016-10-30T11:51:04.564Z [NewApplication] Office, $programfiles\Microsoft Office\Root\Office16\EXCEL.EXE (C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE)
    2016-10-30T11:51:04.979Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104972-10.xml
    2016-10-30T11:51:04.985Z [NewApplication] Office, $programfiles\Microsoft Office\Root\Office16\POWERPNT.EXE (C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE)
    2016-10-30T11:51:05.071Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105065-11.xml
    2016-10-30T11:51:05.078Z [NewApplication] Office, $programfiles\Windows NT\Accessories\WORDPAD.EXE (C:\Program Files\Windows NT\Accessories\WORDPAD.EXE)
    2016-10-30T11:51:05.165Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105160-12.xml
    2016-10-30T11:51:05.172Z [NewApplication] Media, $programfiles\Windows Media Player\wmplayer.exe (C:\Program Files (x86)\Windows Media Player\wmplayer.exe)
    2016-10-30T11:51:05.220Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105213-13.xml
    2016-10-30T11:51:05.226Z [NewApplication] Media, $programfiles\VideoLAN\VLC\vlc.exe (C:\Program Files (x86)\VideoLAN\VLC\vlc.exe)
    2016-10-30T11:51:05.259Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105253-14.xml
    2016-10-30T11:51:05.268Z [NewApplication] Other, $programfiles\Skype\Phone\Skype.exe (C:\Program Files (x86)\Skype\Phone\Skype.exe)
    2016-10-30T11:51:05.649Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105630-15.xml
    2016-10-30T11:51:05.657Z [NewApplication] Java, $programfiles\java\jre1.8.0_111\bin\java.exe (c:\program files (x86)\java\jre1.8.0_111\bin\java.exe)
    2016-10-30T11:51:05.739Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105733-16.xml
    2016-10-30T11:51:05.745Z [NewApplication] Java, $programfiles\java\jre1.8.0_111\bin\javaw.exe (c:\program files (x86)\java\jre1.8.0_111\bin\javaw.exe)
    2016-10-30T11:51:05.964Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105956-17.xml
    2016-10-30T11:51:05.971Z [NewApplication] Java, $programfiles\java\jre1.8.0_111\bin\javaws.exe (c:\program files (x86)\java\jre1.8.0_111\bin\javaws.exe)
    2016-10-30T11:51:06.036Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115106030-18.xml
    2016-10-30T11:51:06.043Z [NewApplication] Java, $programfiles\java\jre1.8.0_111\bin\jp2launcher.exe (c:\program files (x86)\java\jre1.8.0_111\bin\jp2launcher.exe)
    2016-10-30T11:51:06.135Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115106129-19.xml
    2016-10-30T11:51:06.147Z [Service] Running
    2016-10-30T11:51:06.391Z [Protected] PID 6324, Features 0300000000000106, C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    2016-10-30T11:51:06.876Z [Protected] PID 5344, Features 0300000000000106, C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
    2016-10-30T11:51:07.112Z [Protected] PID 8984, Features 0300000000000102, C:\Windows\System32\conhost.exe
    2016-10-30T11:51:07.201Z [Protected] PID 11216, Features 0300000000000106, C:\Program Files\Windows Defender\MpCmdRun.exe
    2016-10-30T11:51:07.316Z [Protected] PID 7932, Features 0300000000000102, C:\Windows\SysWOW64\msiexec.exe
    2016-10-30T11:51:07.628Z [Protected] PID 5412, Features 0300000000000102, C:\Windows\System32\msiexec.exe
    2016-10-30T11:51:07.922Z [Protected] PID 1696, Features 0300000000000102, C:\Windows\System32\conhost.exe
    2016-10-30T11:51:08.444Z [Protected] PID 5176, Features 0300000000000106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    2016-10-30T11:51:08.518Z [Protected] PID 10548, Features 0300000000000106, C:\Windows\System32\dllhost.exe
    2016-10-30T11:51:09.233Z [Protected] PID 12016, Features 030000000000010E, C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
    2016-10-30T11:51:17.495Z [Protected] PID 3712, Features 0300000000000106, C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
    2016-10-30T11:51:27.062Z [Protected] PID 2552, Features 0300000000000106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
    2016-10-30T11:51:47.565Z [Protected] PID 5580, Features 0300000000000106, C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    2016-10-30T11:51:47.638Z [ApplyPolicy] success, C:\ProgramData\HitmanPro.Alert\policy_20161030115147
    2016-10-30T11:51:47.793Z [Protected] PID 5160, Features 0000003000000106, C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
    2016-10-30T11:51:47.884Z [ApplyPolicy] success, C:\ProgramData\HitmanPro.Alert\policy_20161030115147
    2016-10-30T11:51:52.280Z [Protected] PID 10012, Features 0000003000000106, C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
    2016-10-30T11:51:52.479Z [Protected] PID 9224, Features 0000003000000106, C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
    2016-10-30T11:52:07.107Z [Protected] PID 9028, Features 0000003000000102, C:\Windows\System32\consent.exe
    2016-10-30T11:52:07.784Z [Protected] PID 10588, Features 0000003000000106, C:\Windows\System32\dllhost.exe
    2016-10-30T11:52:07.821Z [Protected] PID 5536, Features 0000003000000106, C:\Windows\System32\dllhost.exe
    2016-10-30T11:52:09.432Z [Protected] PID 12276, Features 0000003000000102, C:\Windows\System32\notepad.exe
    2016-10-30T11:52:32.750Z [Protected] PID 2780, Features 0000003000000106, C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    2016-10-30T11:52:48.297Z [Protected] PID 7188, Features 0000003000000102, C:\Windows\System32\conhost.exe
    2016-10-30T11:52:48.343Z [Protected] PID 6348, Features 0000003000000102, C:\Windows\System32\schtasks.exe
    2016-10-30T11:52:48.403Z [Protected] PID 6656, Features 0000003000000102, C:\Windows\System32\conhost.exe
    2016-10-30T11:52:48.426Z [Protected] PID 2612, Features 0000003000000102, C:\Windows\System32\schtasks.exe
    2016-10-30T11:53:00.150Z [Protected] PID 444, Features 0000003000000102, C:\Windows\System32\LogonUI.exe
    2016-10-30T11:53:00.736Z [Protected] PID 4684, Features 0000003000000106, C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    2016-10-30T11:53:00.817Z [Protected] PID 7348, Features 0000003000000106, C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
    2016-10-30T11:53:01.200Z [Protected] PID 9448, Features 0000003000000106, C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe
    2016-10-30T11:53:01.821Z [Protected] PID 11076, Features 0000003000000102, C:\Windows\System32\SearchFilterHost.exe
    2016-10-30T11:53:02.392Z [Protected] PID 9832, Features 000000361FBF0106, C:\Program Files (x86)\Skype\Phone\Skype.exe
    2016-10-30T11:53:02.727Z [Protected] PID 7820, Features 0000003000000102, C:\Windows\System32\conhost.exe
    2016-10-30T11:53:02.774Z [Protected] PID 1572, Features 0000003000000102, C:\Windows\System32\compattelrunner.exe
    2016-10-30T11:53:07.319Z [Service] System shutdown
    2016-10-30T11:53:07.319Z [Service] Stopping...
    2016-10-30T11:53:08.100Z [Service] Stopped
    2016-10-30T11:55:28.771Z [VerifyPolicy] success, C:\ProgramData\HitmanPro.Alert\policy_20161030115528

     

     

    Thanks, 

    Shane

  • HI Shane, 

    Seems mosy of your Microsoft Applications were dropped and are you facing each time you reboot or the first time, Also I would suggest you to open a Service request and private message me the service request and the link to this thread for reference.

    Thanks and Regards

    Aditya Patel 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi Aditya, 

    Every reboot it happens. I'll open a service request and send you on the details on Tuesday. 

     

    Thanks

    Shane

  • HI All, 

    Seems the issue is occurred with the new Windows update Aniversary Edition 10  as they have added Digital Driver Verification check. It may such instance is added and would be rectified . But till then we have a workaround to disable such feature by following the Steps . 

    On installation a number of messages appear on the Desktop advising 'A digitally signed driver is required'. The following drivers may be reported:

    • SNTP Driver
    • HitmanPro.Alert Support Driver
    • Sophos Endpoint Defense Driver

    This issue occurs on new installations of Windows Anniversary edition (version 1607) only, when Secure Boot is also enabled.

    To resolve, choose one of the following options:

    1. Disable Secure Boot as detailed in the following Microsoft article:

      https://technet.microsoft.com/en-us/library/dn481258.aspx

      Note: This will permanently disable the functionality. You may want to re-enable this functionality following the installation.

    2. Change the startup settings:

      1. Press and hold the Shift key on your keyboard and click the Restart button.
      2. Choose Troubleshoot > Advanced options > Startup Settings and click the Restart button.
      3. When your computer restarts you’ll see a list of options. Press F7 on your keyboard to select Disable driver signature enforcement.
      4. Your computer will now restart and you’ll be able to install unsigned drivers.

        Note: This method temporarily disables driver signing enforcement so be sure to run the installation as soon as possible.

    3. Use Command prompt:

      1. Press Windows Key + X to open Power User Menu. Select Command Prompt (Admin) from the menu.
      2. Type the following command then press Enter:

        bcdedit.exe /set nointegritychecks on

        Note: This disables driver signature enforcement permanently.

      3. To enable driver signature enforcement , open the Command Prompt as administrator, type the following command and press Enter:

        bcdedit.exe /set nointegritychecks off

    After applying the workaround:

    1. Double click the Sophos Endpoint icon to open the interface
    2. Click the About link in the bottom right hand corner
    3. Click Update Now to trigger an update and complete the installation

    Let us know if you face the issue after the BUG Fix WINEP 6071. 

    Thanks and regards

    Aditya Patel

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Thanks very much Aditya, much appreciated. 

  • I'd like some clarification on this, if possible.  I disabled Secure Boot and driver signing and was able to install just fine.  I even verified that the Hitman driver continued to work just fine for a day afterwards.  I re-enabled Secure Boot and driver signing and continued to run.  However this morning they started reporting that the Hitman Pro driver was no longer running.  I checked the logs and I see an update was pushed this morning which is the likely cause.

    So if we want to run Intercept X, are we required to leave driver signing and secure boot disabled indefinitely?  That's not very acceptable if that's the case.

    Are the working on getting this driver signed by MS?  That requirement was announced months ago, which should have been enough time for people to get that done through the dev portal.  I guess what I'm looking for is an answer regarding this problem going forward.

    Is this a permanent thing, and if so, why do you include instructions on how to turn it back on?

    I appreciate any direction you can point me with this.

    Thank you.

Reply
  • I'd like some clarification on this, if possible.  I disabled Secure Boot and driver signing and was able to install just fine.  I even verified that the Hitman driver continued to work just fine for a day afterwards.  I re-enabled Secure Boot and driver signing and continued to run.  However this morning they started reporting that the Hitman Pro driver was no longer running.  I checked the logs and I see an update was pushed this morning which is the likely cause.

    So if we want to run Intercept X, are we required to leave driver signing and secure boot disabled indefinitely?  That's not very acceptable if that's the case.

    Are the working on getting this driver signed by MS?  That requirement was announced months ago, which should have been enough time for people to get that done through the dev portal.  I guess what I'm looking for is an answer regarding this problem going forward.

    Is this a permanent thing, and if so, why do you include instructions on how to turn it back on?

    I appreciate any direction you can point me with this.

    Thank you.

Children
  • HI AlexRomp, 

    Nothing is permanent when you deal is computers and Network :) .We have provided a Work-around on this issue and Should be resolved with the next Windows Update . Furthermore if it did not work out we have a Bug mentioned and Is going to be fix soon. 

    Thanks and Regards

    Aditya Patel 

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • So just to confirm, we have to leave Secure Boot / Driver Signing disabled until this is fixed, right?  Because the article I found (which had the same instructions you list above) made it sound like I could re-enable it after doing the install.

    Also, do you mean that Microsoft is going to fix this with an update?  It was my understanding that they were not going to change that policy, but instead it's actually going to continue to get more strict as time goes on.  From my understanding of the issue, it's because the Kernel Mode Driver used by HitmanPro wasn't signed by the MS dev portal, and not something to do with a pending MS Windows update.  Is that incorrect?

    I appreciate the additional info you're providing.  It helps clarify these things.

    Thanks!

  • HI Alex , 

    It is actually a bug introduced in Win10 AU with Hyper-V enabled, and this bug in Win 10 AU is already fixed by Microsoft in Insider builds, You may upgrade your windows to the latest build and check my turning on the Driver Signature . 

    Thanks and regards

    Aditya Patel

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Are you referring to KB3200970?  If so, I do have that installed.  Also, the machines in question do not have the Hyper-V role installed.