Windows Start Menu Locked Up, unable to restart machine.

Hi All,

I installed Windows 1703 and replicated all previous steps I took with 1709.  

It installed fine, and after the reboot no issues. 

The issue has something to do with 1709.

That's not a legit answer.

I ran into this mid october.  I downloaded the latest ISO from MS under SPLA and used that install. I fully deployed the machine, and installed SOPHOS, great. I then was about to ship to client when I forgot to install some custom app they use.  When I went to install it, Start Button wasn't working.  I spent a good 4-5 hours working on the assumption that Windows was faulty. (I couldn't understand how a fresh install could go so wrong).  In this time, I reinstalled the machine following the exact steps, same issue. So I knew it wasn't a bad install etc.

After giving up, I Re-Installed again and noticed that it only happened when SOPHOS was installed and rebooted.

I then downloaded the prior version of Windows, installed SOPHOS and no issue.  I then updated to 1709 and it was stable and fine.

My laptop, which I had to remove SOPHOS from was installed over a year ago, so the version of Windows 10 has no issues with SOPHOS, but just 2 days ago, I had the exact issue, start button dead unless I spam right click to make it come to life a bit, Windows Apps gone, everything running in slow motion.

I am now DEEPLY concern I am going to be getting support calls about this, and i have no recourse but to remove SOPHOS. EMBARRESSING!!!!!!!!!!!!!

Yes we are in the same boat. We are new partners and luckily have only deployed about 8 sites. Still enough to be bad although right now the only thing saving us is this users mostly have not been forced to update to the latest Windows OS. With that said we have already been absolutely roasted by the companies having the issue. Several folks were down all day before we could figure out what was going on. All happening on new machines but was it caused by removal of old product (Intune) etc.

We then started deploying on fully updated machines in the lab and that did not go well.

Oddly I can confirm that I just took a machine that was totally whacked, logged in as administrator (had not been used at all), shut down, cold boot, logged in as whacked user and it seems fine now. WTH

I can say that some of the machines we had issues with did not show the problems right away so it remains to be seen if this holds up.

If this was reported that long ago and not looked in to deeply I am a bit shocked.

I've logged an urgent case here in the UK, I've been doing various tests for the support here. The L2 support seem to be aware or have heard of this issue. Does anyone know if this issue has already been escalated  and if so any numbers so we can attach? My support case is: #7862295

Regards

Kevin

We are facing the same issue with different fresh installs of Windows 10 and re-installs of EPA.

Machine performance goes down and Start Menu freezes. 

Hi Michael,

Yep totally agree this is what we are experiencing as well. This morning I have a newly built system with pretty much nothing else installed other than Sophos and it freezes in the same way, Start menus, Edge and Settings.

I have a case open here with support they are investigating  my procmon outputs and SDU logs.

Regards

kevin

Any Updates?

Everyone I was in contact with seems to have gone dark.

I was able to try an older computer this weekend. I installed Sophos then the 1709 update and it seemed to work although there was an revision update to the client and it was installed without IX

No, I still have the same issue. I think I have worked it out. 

It is the same issue SOPHOS originally had, Windows Defender.

Even though  SOPHOS disable certain things, Defender is still running, more specifically, Exploitation Protection by Windows Defender.

I went through and disabled these AND THEN i went to GPO and disabled it there. 

After reboot, my start button worked.  Unsure if co-incidence or not, or if it actually fixed, did this last night.

Okay thanks for the info...

Windows Defender I don't think is the issue we have had issues with and without.

You must be special we had this opened for weeks and cant even get an update.

I can confirm in each instance we log out and back in to a new profile it seems to work. We are trying a beta release but we did not get clear indication if that is a shot in the dark or an actual fix. We have not received any feedback about what exactly or superficially causing the issue, at this point we are assuming its a guess.

I have little faith in SOPHOS support. I just don't have the time to invest helping them, I am by myself with over 200 seats, I'm just trying to get myself out of trouble

I am curious, did you try the Defender thing?

If you go to Defender Security Settings

App & Browser Control, Exploit.  Turn it all off.

Then, in gpedit.msc

Comp Conf -> Admin -> Win Comp -> Windows Def Anti V

Turn off Win Def Anti V

I am really keen to see if this fixes it, 2nd machine that had an issue, that I did this, and it seems OK. 

Maybe I am special, and everything is just a co-incidence lol

I did do this but after the fact. Perhaps this needs to be done on the machine and then the Sophos install?

I did it will the local GP because I only have the test lab no domain for this currently.

What I can say with certainty any other product like ccleaner, malwarebytes, acronis 2018 etc. causes major panic so I started with Defender.

With that said it clearly states on Sophos related sites that it will work in conjunction with Defender and is made to do so.

Ok, fair enough, I'm on machine 3 with success.  Interestingly, on the 3rd, i had to ENABLE it, turn off Exploit and then disable it via GPO.

It definitely feels like a Windows Driver / Filter issue, so it is beyond direct control, you have to tinker with stuff on the surface to get it to change / remove filters at the bottom near the Kernel, though, I could be 100% wrong.  As said, 3rd machine fixed, at least I have something to play with to get it to to work for the client's that complain.

One more thing to add I did discover on two machines the system interrupt was 100% the CPU for whats its worth.

Hi Kevin,

Is there anyway you can tell me the case reference number?

I have wholesale given up on support, so good on you for going through that nightmare.

My Sales Manager wants to know

We have had this in for weeks now. I am not trying to turn this in to a Sophos bash but the last I heard from support was try the beta with no reasoning as to why.

When I asked "what did development say"? He said "I have not asked development." which of course there is no excuse for. this was after supplying logs and diags from multiple machines followed by a long period of silence. I can certainly see why you can take the stance of giving up especially if you are being flamed by customers. We got our a**** lit up.

7849617

This is really not a SOPHOS support bashing thing, I really want to dispel this.  I love SOPHOS, I have been around when they took over Astaro, whose Support was just as bad lol

I have given too much time to SOPHOS support, it feels more like a gauntlet than a help center.

I love their products, a bit pricey but really solid stuff.

What funny is, 1 of the machines that I had the issue was hit by ransomware. So, the story goes:

"Burt, my computer is slow and it saying something about bitcoin. "
I promptly panic, jump on and whilst I see the slowness, I witness something i thought i would never see in my life, the exploiters were on the PC too!! They were troubleshooting (controlling the mouse etc) why their ransomware wasn't working!!!!!!!  It was amazing to watch.

I booted them off, InterceptX performed perfectly. SOPHOS AV did not pick up the ransomware, it was totally blind to it. InterceptX nuked the ransomware and then the exploiters were trying to script uninstall it and running password finders etc. Booted into safe mode and cleaned up the PC.

All up, it was a amazing WIN. I don't fault SOPHOS AV for failing, that's life, I now am at the opinion that interceptX is essential, it really is a non negotiable necessity..

Hi Burt,

No problem, I understand and so far in my limited experience with Sophos the support seems good and a lot better than other companies I've worked with. The invested time on problems, like this is frustrating especially when there are many other user issues to mange and of course the threat of Ransomware is very worrying. It sounds like quite an experience you witnessed!

It is good to hear that Intercept X resolved that Ransomware threat you had and it is important we get this issue fully resolved, although I'll try your solution with disabling Windows defender on the systems we know have the problem. So far the majority of existing users seem ok and from what we have experienced it seems any new systems or rebuilds are more likely to see this issue. Not sure why this is..

Regards

Kevin