SAV service hangs after installing KB4493472

Hello Papadug,

meanwhile the article has been updated. Not what you'd expect though and a little bit cryptic.

Christian

I scripted some of the process if this will be helpful to anyone.  Just simple bat files for Win7.

Log in as admin in safe mode and run bat file with these commands:

sc config SAVService start= disabled

sc config "Sophos AutoUpdate Service" start= disabled

shutdown -r -t 0

After reboot login as admin and run bat file with these:

net stop wuauserv

wusa.exe /uninstall /kb:4493472 /norestart

sc config SAVService start= auto

sc config "Sophos AutoUpdate Service" start= auto

shutdown /r /t 0

Stopping the windows update service may not be necessary in that second set of commands but I find that manual installation of OS updates is faster using that so I used it here.  There is a /quiet switch available for wusa.exe which you may want.  This command as given here asks you to confirm you want to remove the update (after working on it for some minutes) which of course you do but in the event it doesn't find it, this version tells you that too, whereas I am not sure the /quiet switch would.  I technically also use a pause command right before the reboot in mine so I can verify everything seemed to work correctly before I let it reboot.

As stated this is for win7, if you wanted to use it on a different version of windows or windows server you could just change the problematic KB number to whatever is appropriate for that version.

well instead of us finding out via a forum, they should have emailed all their customers. we were fortunate. our reseller, CSA, emailed us to say they'd heard there was a problem. so they knew about it but people only found out if they had a problem, rather than being pro-actively warned.

then there should be periodic updates, even if it's just "we're still working on it".

yes i have worked on an emergency fix, and it's expected that a manager will ask for status updates, periodically. they often want an eta, but are satisfied "we don't know yet" and they pass that on to the affected users.

Great news that the article was updated yesterday afternoon...however there is no indication that its been updated!

The latest Update time still states 08:45 11/04/19.

Its simple things like accurate update times that help us, the paying customer.

Hello all,

just in case someone is still struggling with endpoints running but showing errors like no On-Access scanning, update errors, SAV seemingly not installed, ... Running means at least being able to boot completely.
I noticed that the updating errors were mainly caused by savservice.exe taking a long time to start (>15 minutes and even much longer). As our endpoints check for updates every 10 minutes I thought I should give increasing this interval a try. I put the mentioned exclusion for the SAV folder in place (can't say if it is needed), increased the schedule to 1 hour and waited. All affected machines (Win7, Win10, Server2k8R2) recovered without any other intervention. Can't say if they will also reboot without a problem but I assume they'll do.

Christian

Absent of any information from Microsoft, I took a different approach initially, and I'm seeing some other after-effects.  I've been studying the results with a site that I support.  Here are my observations.

- Initially, I recommended not interrupting the apparent hang duing Windows startup.  It was painful to wait, but eventually, the update process completed.

- Despite recommending not forcing the systems off, I've found that some users did force power off systems, which I believe delayed the process from completing.

- Restarting after waiting resulted an additional extended startup.

- When the system finally allowed access - two additional problems were observed - MS Office and Office-connected programs would hang or report not responding.  I also saw some problems with offline synced folders.  By "Office-connected programs", I'm referring to software that may share libraries with MS Office.

- Running a MS Office Quick Repair restored proper operation to MS Office and Office-connected programs.

- For the offline synced folders, this may or may not be a related problem, but I had to move the offline synced folders to another share because the original share was not accessible for one user.

Is anyone having issues even after following everything?

We have about 200 affected machines. System restore has solved most of our issues. We've been doing removing KB4493472 (and KB4493448) on PCs that SR doesn't work on.

But after removing both updates and re-enabling savservice, it still hangs at login. We even added the exclusions.

How can it still be happening after the updates are removed?

Can you explain how to extend the update check? Thanks!

Have you prevented the machines from picking up the update again before you uninstall them? Are you using something like WSUS?

We've been removing the KB4493435 update as well as we had heard it may also be causing problems. Might be worth trying to remove it as well.

Hi Everyone,

A script to recover the machine in Safe Mode or Windows has been updated in the KBA. 

Note: This script will cause your machine to reboot.

1. If you are using Windows Server Update Services (WSUS) or third-party patch provider then please remove the updates from your approved list or de-authorise the updates from being applied to your machines - otherwise following the use of the script the offending Windows updates may be reinstalled
2. Download the script from here
3. Change the file extension from .txt to .bat
4. Copy the script to the affected machine and save it in the root of C:\
5. Open an administrator command prompt
6. Run the below command
   • C:\RemoveAprilWIndowsUpdates.bat
7. The script will run and should remove the required updates for your version of Windows and reboot the machine to complete the recovery

Please follow the KBA for more updates- Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update