This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SAV service hangs after installing KB4493472

Hello,

Last night one of my Windows 2008R2 servers hung after installing Microsoft patch KB4493472. After initial examination I discovered that SAV service was logging lots of error messages in event log. Event IDs : 7022 (service hang), 80, 81, 83, 85, 82, 566, 608, 592.

The server became unresponsive, no rdp, no file share access, Ctrl Alt Delete not working.

I rebooted the server in to safe mode and disabled the Sophos services. After this, I was able to reboot normally. Then I uninstalled Sophos, rebooted and tried to install again but this time the installation didn't complete and the server hang again. I rebooted again in safe mode, disabled services, rebooted and uninstalled sophos again. After checking the Windows logs I realised that the server had installed update KB4493472 last night. I uninstalled the patch, rebooted and installed sophos again. This time there was no problem.

Currently we are trying to unauthorise KB4493472 on our update system.

Is there any known issues with KB4493472 on Windows Server 2008R2?

Thank You.



This thread was automatically locked due to age.
Parents
  • The KB has been updated again:

    Note:

    • This automatic update will take place on all supported versions of Enterprise Console, version 5.4.1 and above.
    • This update will only occur when you're Sophos Update Manager (SUM) performs an update as part of the configured scheduled update interval. To receive this update as soon as possible you may need to reduce the schedule.
    • For Enterprise Console 5.4.1, the modified policy will not automatically be sent to your computers. This will result in a 'Differs from Policy' status being alerted against your managed computers. To resolve you will need to push out the policy to your computers via the 'Comply with Group Anti-Virus and HIPS policy' option.
    • If you already have exclusions in place matching those listed above, we will not perform this action.
    • Sophos will automatically remove the exclusions at a later date. This article will be updated to advise when this takes place.
    • Sophos recommends enabling enhanced tamper protection on your managed computers. For further information see Sophos Endpoint Defense: How to enable Enhanced Tamper Protection.

    So basically, it's just saying those 2 folders will be pushes to everyone endpoints exclusions automatically.

Reply
  • The KB has been updated again:

    Note:

    • This automatic update will take place on all supported versions of Enterprise Console, version 5.4.1 and above.
    • This update will only occur when you're Sophos Update Manager (SUM) performs an update as part of the configured scheduled update interval. To receive this update as soon as possible you may need to reduce the schedule.
    • For Enterprise Console 5.4.1, the modified policy will not automatically be sent to your computers. This will result in a 'Differs from Policy' status being alerted against your managed computers. To resolve you will need to push out the policy to your computers via the 'Comply with Group Anti-Virus and HIPS policy' option.
    • If you already have exclusions in place matching those listed above, we will not perform this action.
    • Sophos will automatically remove the exclusions at a later date. This article will be updated to advise when this takes place.
    • Sophos recommends enabling enhanced tamper protection on your managed computers. For further information see Sophos Endpoint Defense: How to enable Enhanced Tamper Protection.

    So basically, it's just saying those 2 folders will be pushes to everyone endpoints exclusions automatically.

Children
  • Hello all,

    an update that will automatically add the following Windows exclusions
    I wasn't aware that such a feature exists, apparently (For Enterprise Console 5.4.1, the modified policy will not automatically be sent) it has gradually been implemented.

    Anyway, they haven't been added to all AV policies - while this is expected for policies that have exclusions in place matching those listed the exclusions are missing from some of the policies. Couldn't find a pattern though.

    Christian

  • Adding sophos dirs exclusions fixes nothing so ... what's next ???

  • Hello Fx0d (and other still having problems),

    Adding sophos dirs
    is yours a Central or SEC/SESC installation? Anyway, for both the exclusions should have been added automatically.

    fixes nothing
    what are the symptoms? Do I understand correctly that your main problem is booting up? Boot loop or seemingly not finishing boot-up so that login is not possible?
    Or are they at least running and reporting to the console?

    Christian