This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV service hangs after installing KB4493472

Hello,

Last night one of my Windows 2008R2 servers hung after installing Microsoft patch KB4493472. After initial examination I discovered that SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592.

The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working.

I rebooted the server in to safe mode and disabled the Sophos services. After this, I was able to reboot normally. Then I uninstalled Sophos, rebooted and tried to install again but this time the installation didn't complete and the server hang again. I rebooted again in safe mode, disabled services, rebooted and uninstalled sophos again. After checking the Windows logs I realised that the server had installed update KB4493472 last night. I uninstalled the patch, rebooted and installed sophos again. This time there was no problem.

Currently we are trying to unauthorise KB4493472 on our update system.

Is there any known issues with KB4493472 on Windows Server 2008R2?

Thank You.



This thread was automatically locked due to age.
Parents Reply Children
  • Sophos Support seem to be replying with a default answer of "check the KB article".

    The KB Article has not been updated since 08:45. Can we have some sort of update please?

  • the only update at this stage is the one above yours. Microsoft will now block the affected update from installing on your machine if you have Sophos installed. There is no new news uunfortunately that I know of. However I don't know how Microsoft is blocking it, if you are using a WSUS server, maybe you need an update. In any case, I'd just avoid applying the affected update for now until they start communicating again

  • Thanks Pez but that update doesn't help much when we have hundreds of machines on remote sites that picked up the update before that change was applied by Microsoft, and before we blocked the update in WSUS.

    The silence from Sophos is deafening at the moment.

  • Hello Papadug,

    silence from Sophos is deafening
    well, what should they say - or what else should they do? Apparently they have worked on the issue and provided sufficient evidence so that Microsoft not only acknowledges the problem in their articles but also to block the patch. It's rumored that other vendors are affected as well.
    Please also note that it does not affect all machines (even with Sophos installed) and the impact varies - from boot problems to just "erratic" behaviour of SAV/SESC: On a machine that is otherwise working normally as far as I can tell the (re-)start if the SAVService.exe during an update takes about 20 minutes resulting not only in the failed to connect to the on-access driver but also install errors. Appears to be rather complex ...

    Christian

  • Hi QC,

    They could give us updates on what they are doing, how far along they are with a fix (if there is one imminent), just basically keep us up to date on whats going on. Its not helping when even Support are telling us to check the KB article which hasn't been updated since 08:45.

    I don't doubt that they're working on the issue alongside Microsoft but keep us as customers in the loop. Its just frustrating when we have management looking for an update from Sophos and we have literally nothing new to give them since first thing this morning.

    As for other problems, I've noticed that its not affecting all machines...and at the same have seen an increase in the number of errors in Enterprise Console, including the failed to connect to the on-access driver error that you mentioned. Thank you for confirming that this might be related.

  • Hello Papadug,

    first of all, the failed to connect errors persist until you acknowledge them, please check the timestamps. I see machines that are up-to-date, on-access (and other features depending on savservice) active, and the last error from hours ago - thus apparently healthy.

    give us updates
    did you ever work on an emergency fix? Last thing you need is a manager who requests a status update every half an hour or someone from PR asking you for an ETA [;)]
    Seriously, can't imagine what could be said at this point - we're right now investigating this dependency or that ... we're analyzing the 6.3 GB of trace data produced in the past hour ... or ? Takes probably some time to analyze the problem and then one can give an ETA and a progress report.

    Christian 

  • Hello Papadug,

    meanwhile the article has been updated. Not what you'd expect though and a little bit cryptic.

    Christian

  • well instead of us finding out via a forum, they should have emailed all their customers. we were fortunate. our reseller, CSA, emailed us to say they'd heard there was a problem. so they knew about it but people only found out if they had a problem, rather than being pro-actively warned.

    then there should be periodic updates, even if it's just "we're still working on it".

     

    yes i have worked on an emergency fix, and it's expected that a manager will ask for status updates, periodically. they often want an eta, but are satisfied "we don't know yet" and they pass that on to the affected users.

  • Great news that the article was updated yesterday afternoon...however there is no indication that its been updated!

    The latest Update time still states 08:45 11/04/19.

    Its simple things like accurate update times that help us, the paying customer.