Windows Start Menu Locked Up, unable to restart machine.

Hi All,

I installed Windows 1703 and replicated all previous steps I took with 1709.  

It installed fine, and after the reboot no issues. 

The issue has something to do with 1709.

That's not a legit answer.

Ok, fair enough, I'm on machine 3 with success.  Interestingly, on the 3rd, i had to ENABLE it, turn off Exploit and then disable it via GPO.

It definitely feels like a Windows Driver / Filter issue, so it is beyond direct control, you have to tinker with stuff on the surface to get it to change / remove filters at the bottom near the Kernel, though, I could be 100% wrong.  As said, 3rd machine fixed, at least I have something to play with to get it to to work for the client's that complain.

One more thing to add I did discover on two machines the system interrupt was 100% the CPU for whats its worth.

Machine No. 5 fixed this way.

My client's machines are slowly failing, 1 by 1...

So you have Sophos running with IX, Then what does enable "it" mean? Enable Defender then disable? I am just trying to write out some steps to reproduce.

Yeah we have a big problem too. We had already deleted the Windows Intune account which is what we are coming from. We are now rolling out machines without protection in fear they will lock up. Intune is a massive drag to go back to and remove, it takes hours some time because the removal process does not work that well and is not typically done on the machine.

Yes, IX is installed.  When you install IX, it disables Defender, but it looks like it doesn't do it fully.

When you click start, and type Defender, it will tell you to turn Defender On. 

So, I click that, I get taken to another screen, under Apps I think you will find exploit, turn it all off, and then gpedit.msc defender off the machine.

Touch wood, we are at 3 days on some computers without failure. Still holding my breath this is the problem, but looks promising.

It might be months before SOPHOS support fix this, I would not rely on them.

okay thanks for the information.

We will confirm in lab and report back.

Hi Kevin,

Is there anyway you can tell me the case reference number?

I have wholesale given up on support, so good on you for going through that nightmare.

My Sales Manager wants to know

We have had this in for weeks now. I am not trying to turn this in to a Sophos bash but the last I heard from support was try the beta with no reasoning as to why.

When I asked "what did development say"? He said "I have not asked development." which of course there is no excuse for. this was after supplying logs and diags from multiple machines followed by a long period of silence. I can certainly see why you can take the stance of giving up especially if you are being flamed by customers. We got our a**** lit up.

7849617

This is really not a SOPHOS support bashing thing, I really want to dispel this.  I love SOPHOS, I have been around when they took over Astaro, whose Support was just as bad lol

I have given too much time to SOPHOS support, it feels more like a gauntlet than a help center.

I love their products, a bit pricey but really solid stuff.

What funny is, 1 of the machines that I had the issue was hit by ransomware. So, the story goes:

"Burt, my computer is slow and it saying something about bitcoin. "
I promptly panic, jump on and whilst I see the slowness, I witness something i thought i would never see in my life, the exploiters were on the PC too!! They were troubleshooting (controlling the mouse etc) why their ransomware wasn't working!!!!!!!  It was amazing to watch.

I booted them off, InterceptX performed perfectly. SOPHOS AV did not pick up the ransomware, it was totally blind to it. InterceptX nuked the ransomware and then the exploiters were trying to script uninstall it and running password finders etc. Booted into safe mode and cleaned up the PC.

All up, it was a amazing WIN. I don't fault SOPHOS AV for failing, that's life, I now am at the opinion that interceptX is essential, it really is a non negotiable necessity..

This is really not a SOPHOS support bashing thing, I really want to dispel this.  I love SOPHOS, I have been around when they took over Astaro, whose Support was just as bad lol

I have given too much time to SOPHOS support, it feels more like a gauntlet than a help center.

I love their products, a bit pricey but really solid stuff.

What funny is, 1 of the machines that I had the issue was hit by ransomware. So, the story goes:

"Burt, my computer is slow and it saying something about bitcoin. "
I promptly panic, jump on and whilst I see the slowness, I witness something i thought i would never see in my life, the exploiters were on the PC too!! They were troubleshooting (controlling the mouse etc) why their ransomware wasn't working!!!!!!!  It was amazing to watch.

I booted them off, InterceptX performed perfectly. SOPHOS AV did not pick up the ransomware, it was totally blind to it. InterceptX nuked the ransomware and then the exploiters were trying to script uninstall it and running password finders etc. Booted into safe mode and cleaned up the PC.

All up, it was a amazing WIN. I don't fault SOPHOS AV for failing, that's life, I now am at the opinion that interceptX is essential, it really is a non negotiable necessity..

Hi Burt,

No problem, I understand and so far in my limited experience with Sophos the support seems good and a lot better than other companies I've worked with. The invested time on problems, like this is frustrating especially when there are many other user issues to mange and of course the threat of Ransomware is very worrying. It sounds like quite an experience you witnessed!

It is good to hear that Intercept X resolved that Ransomware threat you had and it is important we get this issue fully resolved, although I'll try your solution with disabling Windows defender on the systems we know have the problem. So far the majority of existing users seem ok and from what we have experienced it seems any new systems or rebuilds are more likely to see this issue. Not sure why this is..

Regards

Kevin