SAV service hangs after installing KB4493472

Question

Hello, 
 Last night one of my Windows 2008R2 servers hung after installing Microsoft patch KB4493472. After initial examination I discovered that SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592. 
 The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working. 
 I rebooted the server in to safe mode and disabled the Sophos services. After this, I was able to reboot normally. Then I uninstalled Sophos, rebooted and tried to install again but this time the installation didn't complete and the server hang again. I rebooted again in safe mode, disabled services, rebooted and uninstalled sophos again. After checking the Windows logs I realised that the server had installed update KB4493472 last night. I uninstalled the patch, rebooted and installed sophos again. This time there was no problem. 
 Currently we are trying to unauthorise KB4493472 on our update system. 
 Is there any known issues with KB4493472 on Windows Server 2008R2? 
 Thank You.

Gowtham Mani · Answer

Hi Everyone, 
 The reported issue is currently being investigated. 
 If you have not yet performed the update we recommend not doing so. If you have performed the update but not yet rebooted we recommend removing the update prior to rebooting. 
 If you have performed the update and have rebooted, triggering the issue: 
 
 Boot into safe mode 
 Disable the Sophos Anti-Virus service 
 Boot into normal mode 
 Uninstall the Windows KB 
 Enable the Sophos Anti-Virus service
 
 If enabled, Tamper Protection will need to be disabled to re-enable the service

Please follow the below KBA for more updates and workaround. 
 Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

PBJ_Family · Answer

I scripted some of the process if this will be helpful to anyone. Just simple bat files for Win7. 
 Log in as admin in safe mode and run bat file with these commands: 
 sc config SAVService start= disabled sc config "Sophos AutoUpdate Service" start= disabled shutdown -r -t 0 
 
 After reboot login as admin and run bat file with these: 
 net stop wuauserv 
 wusa.exe /uninstall /kb:4493472 /norestart sc config SAVService start= auto sc config "Sophos AutoUpdate Service" start= auto shutdown /r /t 0 
 
 Stopping the windows update service may not be necessary in that second set of commands but I find that manual installation of OS updates is faster using that so I used it here. There is a /quiet switch available for wusa.exe which you may want. This command as given here asks you to confirm you want to remove the update (after working on it for some minutes) which of course you do but in the event it doesn't find it, this version tells you that too, whereas I am not sure the /quiet switch would. I technically also use a pause command right before the reboot in mine so I can verify everything seemed to work correctly before I let it reboot. 
 As stated this is for win7, if you wanted to use it on a different version of windows or windows server you could just change the problematic KB number to whatever is appropriate for that version.

MichaelOwens · Answer

Been dealing with this for a bit. If you install the update without any user logged in, and let it restart, the patch should go through with no issue.

Gowtham Mani · Answer

Hi Everyone, 
 A script to recover the machine in Safe Mode or Windows has been updated in the KBA. 
 Note: This script will cause your machine to reboot. 
 
 If you are using Windows Server Update Services (WSUS) or third-party patch provider then please remove the updates from your approved list or de-authorise the updates from being applied to your machines - otherwise following the use of the script the offending Windows updates may be reinstalled 
 Download the script from here 
 Change the file extension from .txt to .bat 
 Copy the script to the affected machine and save it in the root of C:\ 
 Open an administrator command prompt 
 Run the below command
 
 C:\RemoveAprilWIndowsUpdates.bat

The script will run and should remove the required updates for your version of Windows and reboot the machine to complete the recovery 
 
 Please follow the KBA for more updates- Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update

Gowtham Mani · Answer

Hi Everyone, 
 We appreciate your patience. Our team has been working non-stop to resolve the issue and we can now say confidently that we have identified the permanent fix and testing is underway. We plan to start automatically rolling out the fix to customers very soon, and if there are any cases where the update has to be manually applied, we will contact those customers directly. 
 The KBA will be updated as soon as possible once we have more information on the ETA and the Fix. 
 UPDATE: Sophos + Microsoft Windows April 9 update

Scott Graddy1 · Answer

Safe Mode would not work so I ran a repair from a CD and got to the Advanced Options where I could open a CMD prompt. Then using some suggestions, I performed the following and booted up just fine. 
 1) del C:\Windows\System32\Drivers\Sophosed.sys 
 2) copy C:\ProgramData\Sophos\AutoUpdate\Cache\decoded\sed64\Sophosed.sys C:\Windows\System32\Drivers\ 
 Restart