Windows 10 BSOD

HI 

Could you post your logs from HitMan Pro , Path of the logs is C:\ProgramData\HitmanPro.Alert\Logs , If you do not wish to post any sensitive information you may private message me with the link to this forum . 

Thanks and Regards

Aditya Patel | Network and Security engineer.

HI 

Could you post your logs from HitMan Pro , Path of the logs is C:\ProgramData\HitmanPro.Alert\Logs , If you do not wish to post any sensitive information you may private message me with the link to this forum . 

Thanks and Regards

Aditya Patel | Network and Security engineer.

Hi Aditya, 

Log contents below. The last entry is just before the BSOD. 

2016-10-30T11:51:03.717Z [Service] Startup (build 563)
2016-10-30T11:51:03.758Z [NewApplication] Browsers, $programfiles\Mozilla Firefox\firefox.exe (C:\Program Files (x86)\Mozilla Firefox\firefox.exe)
2016-10-30T11:51:03.814Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115103806-1.xml
2016-10-30T11:51:03.818Z [NewApplication] Plugins, $programfiles\Mozilla Firefox\plugin-container.exe (C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe)
2016-10-30T11:51:03.862Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115103855-2.xml
2016-10-30T11:51:03.869Z [NewApplication] Browsers, $programfiles\Google\Chrome\Application\chrome.exe (C:\Program Files (x86)\Google\Chrome\Application\chrome.exe)
2016-10-30T11:51:03.903Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115103896-3.xml
2016-10-30T11:51:03.910Z [NewApplication] Browsers, $programfiles\Internet Explorer\iexplore.exe (C:\Program Files\Internet Explorer\iexplore.exe)
2016-10-30T11:51:04.014Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104004-4.xml
2016-10-30T11:51:04.022Z [NewApplication] Browsers, $programfiles\Internet Explorer\iexplore.exe (C:\Program Files (x86)\Internet Explorer\iexplore.exe)
2016-10-30T11:51:04.094Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104088-5.xml
2016-10-30T11:51:04.100Z [NewApplication] Browsers, $windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe (C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe)
2016-10-30T11:51:04.339Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104333-6.xml
2016-10-30T11:51:04.346Z [NewApplication] Browsers, $windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe (C:\WINDOWS\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe)
2016-10-30T11:51:04.374Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104366-7.xml
2016-10-30T11:51:04.381Z [NewApplication] Office, $programfiles\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe (C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe)
2016-10-30T11:51:04.488Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104482-8.xml
2016-10-30T11:51:04.495Z [NewApplication] Office, $programfiles\Microsoft Office\Root\Office16\WINWORD.EXE (C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE)
2016-10-30T11:51:04.557Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104551-9.xml
2016-10-30T11:51:04.564Z [NewApplication] Office, $programfiles\Microsoft Office\Root\Office16\EXCEL.EXE (C:\Program Files (x86)\Microsoft Office\Root\Office16\EXCEL.EXE)
2016-10-30T11:51:04.979Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115104972-10.xml
2016-10-30T11:51:04.985Z [NewApplication] Office, $programfiles\Microsoft Office\Root\Office16\POWERPNT.EXE (C:\Program Files (x86)\Microsoft Office\Root\Office16\POWERPNT.EXE)
2016-10-30T11:51:05.071Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105065-11.xml
2016-10-30T11:51:05.078Z [NewApplication] Office, $programfiles\Windows NT\Accessories\WORDPAD.EXE (C:\Program Files\Windows NT\Accessories\WORDPAD.EXE)
2016-10-30T11:51:05.165Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105160-12.xml
2016-10-30T11:51:05.172Z [NewApplication] Media, $programfiles\Windows Media Player\wmplayer.exe (C:\Program Files (x86)\Windows Media Player\wmplayer.exe)
2016-10-30T11:51:05.220Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105213-13.xml
2016-10-30T11:51:05.226Z [NewApplication] Media, $programfiles\VideoLAN\VLC\vlc.exe (C:\Program Files (x86)\VideoLAN\VLC\vlc.exe)
2016-10-30T11:51:05.259Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105253-14.xml
2016-10-30T11:51:05.268Z [NewApplication] Other, $programfiles\Skype\Phone\Skype.exe (C:\Program Files (x86)\Skype\Phone\Skype.exe)
2016-10-30T11:51:05.649Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105630-15.xml
2016-10-30T11:51:05.657Z [NewApplication] Java, $programfiles\java\jre1.8.0_111\bin\java.exe (c:\program files (x86)\java\jre1.8.0_111\bin\java.exe)
2016-10-30T11:51:05.739Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105733-16.xml
2016-10-30T11:51:05.745Z [NewApplication] Java, $programfiles\java\jre1.8.0_111\bin\javaw.exe (c:\program files (x86)\java\jre1.8.0_111\bin\javaw.exe)
2016-10-30T11:51:05.964Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115105956-17.xml
2016-10-30T11:51:05.971Z [NewApplication] Java, $programfiles\java\jre1.8.0_111\bin\javaws.exe (c:\program files (x86)\java\jre1.8.0_111\bin\javaws.exe)
2016-10-30T11:51:06.036Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115106030-18.xml
2016-10-30T11:51:06.043Z [NewApplication] Java, $programfiles\java\jre1.8.0_111\bin\jp2launcher.exe (c:\program files (x86)\java\jre1.8.0_111\bin\jp2launcher.exe)
2016-10-30T11:51:06.135Z [Sophos] dropped C:\ProgramData\HitmanPro.Alert\MCS\NewApp-20161030115106129-19.xml
2016-10-30T11:51:06.147Z [Service] Running
2016-10-30T11:51:06.391Z [Protected] PID 6324, Features 0300000000000106, C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
2016-10-30T11:51:06.876Z [Protected] PID 5344, Features 0300000000000106, C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
2016-10-30T11:51:07.112Z [Protected] PID 8984, Features 0300000000000102, C:\Windows\System32\conhost.exe
2016-10-30T11:51:07.201Z [Protected] PID 11216, Features 0300000000000106, C:\Program Files\Windows Defender\MpCmdRun.exe
2016-10-30T11:51:07.316Z [Protected] PID 7932, Features 0300000000000102, C:\Windows\SysWOW64\msiexec.exe
2016-10-30T11:51:07.628Z [Protected] PID 5412, Features 0300000000000102, C:\Windows\System32\msiexec.exe
2016-10-30T11:51:07.922Z [Protected] PID 1696, Features 0300000000000102, C:\Windows\System32\conhost.exe
2016-10-30T11:51:08.444Z [Protected] PID 5176, Features 0300000000000106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2016-10-30T11:51:08.518Z [Protected] PID 10548, Features 0300000000000106, C:\Windows\System32\dllhost.exe
2016-10-30T11:51:09.233Z [Protected] PID 12016, Features 030000000000010E, C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
2016-10-30T11:51:17.495Z [Protected] PID 3712, Features 0300000000000106, C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
2016-10-30T11:51:27.062Z [Protected] PID 2552, Features 0300000000000106, C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
2016-10-30T11:51:47.565Z [Protected] PID 5580, Features 0300000000000106, C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
2016-10-30T11:51:47.638Z [ApplyPolicy] success, C:\ProgramData\HitmanPro.Alert\policy_20161030115147
2016-10-30T11:51:47.793Z [Protected] PID 5160, Features 0000003000000106, C:\Program Files (x86)\HitmanPro.Alert\hmpalert.exe
2016-10-30T11:51:47.884Z [ApplyPolicy] success, C:\ProgramData\HitmanPro.Alert\policy_20161030115147
2016-10-30T11:51:52.280Z [Protected] PID 10012, Features 0000003000000106, C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
2016-10-30T11:51:52.479Z [Protected] PID 9224, Features 0000003000000106, C:\Program Files (x86)\Sophos\Sophos Anti-Virus\WSCClient.exe
2016-10-30T11:52:07.107Z [Protected] PID 9028, Features 0000003000000102, C:\Windows\System32\consent.exe
2016-10-30T11:52:07.784Z [Protected] PID 10588, Features 0000003000000106, C:\Windows\System32\dllhost.exe
2016-10-30T11:52:07.821Z [Protected] PID 5536, Features 0000003000000106, C:\Windows\System32\dllhost.exe
2016-10-30T11:52:09.432Z [Protected] PID 12276, Features 0000003000000102, C:\Windows\System32\notepad.exe
2016-10-30T11:52:32.750Z [Protected] PID 2780, Features 0000003000000106, C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
2016-10-30T11:52:48.297Z [Protected] PID 7188, Features 0000003000000102, C:\Windows\System32\conhost.exe
2016-10-30T11:52:48.343Z [Protected] PID 6348, Features 0000003000000102, C:\Windows\System32\schtasks.exe
2016-10-30T11:52:48.403Z [Protected] PID 6656, Features 0000003000000102, C:\Windows\System32\conhost.exe
2016-10-30T11:52:48.426Z [Protected] PID 2612, Features 0000003000000102, C:\Windows\System32\schtasks.exe
2016-10-30T11:53:00.150Z [Protected] PID 444, Features 0000003000000102, C:\Windows\System32\LogonUI.exe
2016-10-30T11:53:00.736Z [Protected] PID 4684, Features 0000003000000106, C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
2016-10-30T11:53:00.817Z [Protected] PID 7348, Features 0000003000000106, C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
2016-10-30T11:53:01.200Z [Protected] PID 9448, Features 0000003000000106, C:\Program Files (x86)\Steam\bin\cef\cef.winxp\steamwebhelper.exe
2016-10-30T11:53:01.821Z [Protected] PID 11076, Features 0000003000000102, C:\Windows\System32\SearchFilterHost.exe
2016-10-30T11:53:02.392Z [Protected] PID 9832, Features 000000361FBF0106, C:\Program Files (x86)\Skype\Phone\Skype.exe
2016-10-30T11:53:02.727Z [Protected] PID 7820, Features 0000003000000102, C:\Windows\System32\conhost.exe
2016-10-30T11:53:02.774Z [Protected] PID 1572, Features 0000003000000102, C:\Windows\System32\compattelrunner.exe
2016-10-30T11:53:07.319Z [Service] System shutdown
2016-10-30T11:53:07.319Z [Service] Stopping...
2016-10-30T11:53:08.100Z [Service] Stopped
2016-10-30T11:55:28.771Z [VerifyPolicy] success, C:\ProgramData\HitmanPro.Alert\policy_20161030115528

Thanks, 

Shane

HI Shane, 

Seems mosy of your Microsoft Applications were dropped and are you facing each time you reboot or the first time, Also I would suggest you to open a Service request and private message me the service request and the link to this thread for reference.

Thanks and Regards

Aditya Patel 

Hi Aditya, 

Every reboot it happens. I'll open a service request and send you on the details on Tuesday. 

Thanks

Shane

HI All, 

Seems the issue is occurred with the new Windows update Aniversary Edition 10  as they have added Digital Driver Verification check. It may such instance is added and would be rectified . But till then we have a workaround to disable such feature by following the Steps . 

On installation a number of messages appear on the Desktop advising 'A digitally signed driver is required'. The following drivers may be reported:

• SNTP Driver
• HitmanPro.Alert Support Driver
• Sophos Endpoint Defense Driver

This issue occurs on new installations of Windows Anniversary edition (version 1607) only, when Secure Boot is also enabled.

To resolve, choose one of the following options:

1. Disable Secure Boot as detailed in the following Microsoft article:
   
   https://technet.microsoft.com/en-us/library/dn481258.aspx
   
   Note: This will permanently disable the functionality. You may want to re-enable this functionality following the installation.
   
   
2. Change the startup settings:
   
   
   1. Press and hold the Shift key on your keyboard and click the Restart button.
   2. Choose Troubleshoot > Advanced options > Startup Settings and click the Restart button.
   3. When your computer restarts you’ll see a list of options. Press F7 on your keyboard to select Disable driver signature enforcement.
   4. Your computer will now restart and you’ll be able to install unsigned drivers.
      
      Note: This method temporarily disables driver signing enforcement so be sure to run the installation as soon as possible.
      
      
3. Use Command prompt:
   
   
   1. Press Windows Key + X to open Power User Menu. Select Command Prompt (Admin) from the menu.
   2. Type the following command then press Enter:
      
      bcdedit.exe /set nointegritychecks on
      
      Note: This disables driver signature enforcement permanently.
      
      
   3. To enable driver signature enforcement , open the Command Prompt as administrator, type the following command and press Enter:
      
      bcdedit.exe /set nointegritychecks off

After applying the workaround:

1. Double click the Sophos Endpoint icon to open the interface
2. Click the About link in the bottom right hand corner
3. Click Update Now to trigger an update and complete the installation

Let us know if you face the issue after the BUG Fix WINEP 6071. 

Thanks and regards

Aditya Patel

Thanks very much Aditya, much appreciated. 

I'd like some clarification on this, if possible.  I disabled Secure Boot and driver signing and was able to install just fine.  I even verified that the Hitman driver continued to work just fine for a day afterwards.  I re-enabled Secure Boot and driver signing and continued to run.  However this morning they started reporting that the Hitman Pro driver was no longer running.  I checked the logs and I see an update was pushed this morning which is the likely cause.

So if we want to run Intercept X, are we required to leave driver signing and secure boot disabled indefinitely?  That's not very acceptable if that's the case.

Are the working on getting this driver signed by MS?  That requirement was announced months ago, which should have been enough time for people to get that done through the dev portal.  I guess what I'm looking for is an answer regarding this problem going forward.

Is this a permanent thing, and if so, why do you include instructions on how to turn it back on?

I appreciate any direction you can point me with this.

Thank you.

HI AlexRomp, 

Nothing is permanent when you deal is computers and Network :) .We have provided a Work-around on this issue and Should be resolved with the next Windows Update . Furthermore if it did not work out we have a Bug mentioned and Is going to be fix soon. 

Thanks and Regards

Aditya Patel 

So just to confirm, we have to leave Secure Boot / Driver Signing disabled until this is fixed, right?  Because the article I found (which had the same instructions you list above) made it sound like I could re-enable it after doing the install.

Also, do you mean that Microsoft is going to fix this with an update?  It was my understanding that they were not going to change that policy, but instead it's actually going to continue to get more strict as time goes on.  From my understanding of the issue, it's because the Kernel Mode Driver used by HitmanPro wasn't signed by the MS dev portal, and not something to do with a pending MS Windows update.  Is that incorrect?

I appreciate the additional info you're providing.  It helps clarify these things.

Thanks!

HI Alex , 

It is actually a bug introduced in Win10 AU with Hyper-V enabled, and this bug in Win 10 AU is already fixed by Microsoft in Insider builds, You may upgrade your windows to the latest build and check my turning on the Driver Signature . 

Thanks and regards

Aditya Patel

Are you referring to KB3200970?  If so, I do have that installed.  Also, the machines in question do not have the Hyper-V role installed.