Hi All,

I installed Windows 1703 and replicated all previous steps I took with 1709.  

It installed fine, and after the reboot no issues. 

The issue has something to do with 1709.

That's not a legit answer.

Machine No. 5 fixed this way.

My client's machines are slowly failing, 1 by 1...

So you have Sophos running with IX, Then what does enable "it" mean? Enable Defender then disable? I am just trying to write out some steps to reproduce.

Yeah we have a big problem too. We had already deleted the Windows Intune account which is what we are coming from. We are now rolling out machines without protection in fear they will lock up. Intune is a massive drag to go back to and remove, it takes hours some time because the removal process does not work that well and is not typically done on the machine.

Yes, IX is installed.  When you install IX, it disables Defender, but it looks like it doesn't do it fully.

When you click start, and type Defender, it will tell you to turn Defender On. 

So, I click that, I get taken to another screen, under Apps I think you will find exploit, turn it all off, and then gpedit.msc defender off the machine.

Touch wood, we are at 3 days on some computers without failure. Still holding my breath this is the problem, but looks promising.

It might be months before SOPHOS support fix this, I would not rely on them.

okay thanks for the information.

We will confirm in lab and report back.

Hi Kevin,

Is there anyway you can tell me the case reference number?

I have wholesale given up on support, so good on you for going through that nightmare.

My Sales Manager wants to know

We have had this in for weeks now. I am not trying to turn this in to a Sophos bash but the last I heard from support was try the beta with no reasoning as to why.

When I asked "what did development say"? He said "I have not asked development." which of course there is no excuse for. this was after supplying logs and diags from multiple machines followed by a long period of silence. I can certainly see why you can take the stance of giving up especially if you are being flamed by customers. We got our a**** lit up.

7849617

This is really not a SOPHOS support bashing thing, I really want to dispel this.  I love SOPHOS, I have been around when they took over Astaro, whose Support was just as bad lol

I have given too much time to SOPHOS support, it feels more like a gauntlet than a help center.

I love their products, a bit pricey but really solid stuff.

What funny is, 1 of the machines that I had the issue was hit by ransomware. So, the story goes:

"Burt, my computer is slow and it saying something about bitcoin. "
I promptly panic, jump on and whilst I see the slowness, I witness something i thought i would never see in my life, the exploiters were on the PC too!! They were troubleshooting (controlling the mouse etc) why their ransomware wasn't working!!!!!!!  It was amazing to watch.

I booted them off, InterceptX performed perfectly. SOPHOS AV did not pick up the ransomware, it was totally blind to it. InterceptX nuked the ransomware and then the exploiters were trying to script uninstall it and running password finders etc. Booted into safe mode and cleaned up the PC.

All up, it was a amazing WIN. I don't fault SOPHOS AV for failing, that's life, I now am at the opinion that interceptX is essential, it really is a non negotiable necessity..

Hi Burt,

No problem, I understand and so far in my limited experience with Sophos the support seems good and a lot better than other companies I've worked with. The invested time on problems, like this is frustrating especially when there are many other user issues to mange and of course the threat of Ransomware is very worrying. It sounds like quite an experience you witnessed!

It is good to hear that Intercept X resolved that Ransomware threat you had and it is important we get this issue fully resolved, although I'll try your solution with disabling Windows defender on the systems we know have the problem. So far the majority of existing users seem ok and from what we have experienced it seems any new systems or rebuilds are more likely to see this issue. Not sure why this is..

Regards

Kevin

Hi Burt,

We just had another system show the problem today and tried to disable Windows Defender as documented above, however it still shows the problem after a reboot.. Hopefully we did everything correctly i.e. In Windows Defender -> "App & Brower control" we switched off all the selections as well as in the "Exploit Protection settings" i.e. "Off by default".

In the gpedit.msc we have the Windows Defender Anti-Virus "enabled" which says it is switched off and AV does not run.

One other thing, Sophos was already installed before we disabled Windows Defender would this make a difference?

Did we miss something? Any help would be appreciated.

Many thanks

Kevin

Hi Burt,

We just had another system show the problem today and tried to disable Windows Defender as documented above, however it still shows the problem after a reboot.. Hopefully we did everything correctly i.e. In Windows Defender -> "App & Brower control" we switched off all the selections as well as in the "Exploit Protection settings" i.e. "Off by default".

In the gpedit.msc we have the Windows Defender Anti-Virus "enabled" which says it is switched off and AV does not run.

One other thing, Sophos was already installed before we disabled Windows Defender would this make a difference?

Did we miss something? Any help would be appreciated.

Many thanks

Kevin

Hi,

Very strange, I'll use my unchanged main computer to show you what I did.  My main computer whilst using ALL 3 sophos products (AV, Int Encryp) does not show any signs of the issue.

Just last night I fixed another one, however i noticed that there was some taskhost.exe or something like that trying to install a driver, after doing the steps, i had to reboot a few times.  Like it was stuck installing a driver or something.

I'm not sure if I am doing these and by accident doing something else that is fixing my issue, as I don't understand the problem 100% I can't say for sure if what I am doing is working.  I have gotten all my client's with this issue off my back, so it must be close on the mark?

https://imgur.com/a/B8N8V

Hi Burt,

I tried again today i.e. removing Sophos and making sure Windows Defender was disabled, I reinstalled Sophos but the problem still shows up after a reboot. This is very strange...

Sophos Escalation team just sent me an email of the problem details which seems to not match the issue we are experiencing.. I'll talk to them about this. It is clear to us any new system installation or rebuild will definitely produce the problem every time. Existing users seem to be ok so far.. This is still a big issue for us with new users and or system rebuilds which we have to do. As you said Intercept X is a necessity and running solely with just Endpoint is not what we bought into when moving to Sophos.

Regards

Kevin

Hi All,

It seems Sophos may have a solution or workaround. It appears a new option added in 1709. i.e. switching off the ‘Use my sign–in info to automatically finish setting up my device after an update or restart’  fixes certainly one of my systems so far. It is in "Settings -> Accounts ->Sign options and under Privacy.

http://www.thewindowsclub.com/automatically-launch-previously-open-apps-reboot-windows-10

Let me know if this helps your systems?

Regard's

Kevin

They are all over the place. Yesterday I was told devs said Visual Studio was causing the issue. We have not been able to test that yet.

We did test a new machine fully patched prior to Sophos install. As long as GPO Defender was done prior to Sophos install it was fine.

Kevin how did you test this?

You had a machine that was acting up with Sophos ADV and IX installed, changed this and restarted and then in was fine?

Yes I have a new system which was always failing on a reboot, so switched off this setting as per Sophos suggestion and it works so far.. I'll try it on other systems later. The Sophos description of the issue almost threw me, but just not totally accurate. Anyhow if this works then I guess it is a Windows problem and adding new switches.

Kevin

Hi

Sorry for the late reply, I actually spent even more time on this issue.

So, it took me over 4 hours to get the VM in JUST the right position. Let me explain:

I have a VM that was shutdown, and a snapshot taken. When I boot the VM, and install SOPHOS, it fails (slowness, un-responsiveness, apps don't work and the start button doesn't work.

I was able to replicate this, 100%. So, I could go back to the snapshot, install SOPHOS, and 100% certainty, it will fail.

Now, this VM is FULLY updates except 1 Windows Defender definition update. It only have VMware Tools installed.

I then proceeded to test (this honestly took 1/2 a day, and today is a public holiday, so here I am doing SOPHOS' job trying to fix this crap instead of spending time with my family):

Install, Restart - FAIL
Install, Restart - FAIL
Update, Install, Restart - OK --> Restart - FAIL
Update, Install, Restart - FAIL
Update, Restart, Install, Restart - OK --> Restart - FAIL
Update, Restart, Off, Install, Restart - FAIL
Signin Option, Install, Restart, OK --> Restart - FAIL
Signin Option, Install, Restart, OK --> Restart - FAIL
Defender Option, Restart (to reflect gpedit.msc), Install, Restart, OK --> Restart - OK

Kevin, I have no idea about this Sign in option of yours, it just doesn't work for me. I am unsure if the actions I am taking with my defender option is triggering something else, I don't know, it is however, working for me.

I have no sunk TOO much time into this, I'm out.  I am very dissapointed with SOPHOS, I am somewhat amazed no one else is experiencing this issue.  It CAN'T just be us.

I download a FRESH copy of Windows 10 from Microsoft. I install a FRESH SOPHOS AV+IntX from SOPHOS's Cloud and BOOM, fail.  How can this JUST be us?!?

I feel like I've taken crazy pills.

Anyway, Good Luck guys :)

Hi Burt and All,

Burt - It sounds like you had a bad day and on your day off. Its not good trying to work issues like this on a day off for sure..

I've now switched off this new 1709 feature on my systems which have the problem so far and they all now work. My Windows defender is enabled and so far fingers crossed I'm not now seeing this problem.

This make me think are there two issues? do we have exactly the same issue? 

Anyhow below is a copy of the email I received from Sophos support yesterday. The problem details are not complete and how it manifests itself is not accurate, but I suppose we have seen and worked this issue for a lot longer than they have..

Regards

Kevin

----------------------------------------- Article ID: 124988 Title: Sophos Intercept X and Exploit Prevention: Known issues URL: https://sophos.com/kb/124988 -----------------------------------------

Windows 10 RS3 - Start UI fails to run during first login session

This issue occurs on computers not joined to a domain. Investigation has shown to be a possible Microsoft issue. A reboot may resolve the issue. The following two options will also prevent the issue from occurring:

• Locally, under User Accounts logon settings, by disabling the setting Use my sign-in info to automatically finish setting up my device after an update or restart.
• Globally as per the following article https://social.technet.microsoft.com/Forums/windows/en-US/efc99b56-8f1f-4364-b081-0b6db46e9dda/global-policy-for-new-use-my-signin-info-to-automatically-finish-setting-up-my-device-after-an?forum=WindowsInsiderPreview

I ran into this exact issue with Sophos Home 1.2.11 beta -- We already know there are shared components between Sophos Endpoint and Sophos Home.

It appears to me like the Sophos software may be creating some sort of timing issue, causing this issue.

When Sophos is installed here are my symptoms:

1. the Windows startup process is definitely slowed with sophos installed
2. The taskbar becomes visible during system startup, but the applications I have pinned to the Windows 10 taskbar do not appear right away-- there is definitely a delay.
3. The start menu is not clickable until after the pinned taskbar icons are visible.

Pretty much 50% of the time I reboot the computer, the Start Menu is not clickable, even after the pinned taskbar icons appear.  So if I reboot 6 times in a row, it's guaranteed that are that the start menu will be clickable on only 2-3 of those boots, max.

Here's where things get interesting... 

I toggled that "use my sign-in info" from the previous post and it did not make a difference for me, but it got me thinking... just because that didn't work, doesn't mean it's not a sign in issue.

On the affected computer, I have a blank password... so the system auto-logs in.

Next steps:

1. I then created a password for my login account
2. Rebooted at least 5 times and could not trigger this issue
3. I changed the password back to being blank and rebooted
4. Issue then starting triggering immediately after reboot

I then uninstalled Sophos, so I'm using the built in Windows Defender, rebooted several times (with the blank password) and the issue does NOT occur.  Windows also boots way faster.

So my question to the group: Is anyone experiencing the issue only when using blank/no login password on their system?

Hi JordanM and All,

I did some more testing today here are my findings:

1. On two test systems I removed the  windows password same as Jordan, the "sign-in info"  switch was disabled, windows defender all enabled I did 12 reboot tests on both systems 0 failures
2. This time I enabled the "sign-in info" switch, No login Password, windows Defender enabled and did 12 reboot tests and 0 failures on both test systems.
3. I then added a login password on both systems, I also enabled the "sign-in info" switch. windows Defender enabled and both systems failed, one failed 3 out of 6, the other 4 out 6 reboot failures.
4. Last test, I disabled the "sign-in info" switch, still with a login password,  windows Defender enabled and both systems were successful with 8 out 8 reboot and no failures.

It seems to me each of us are experiencing different results of what works and what does not. Removing the Windows password does have an effect regardless of the "sign-in info" switch setting. I can't explain why disabling the "sign-in info" switch works for me... I have now tested this on 6 different failing systems and it solves the problem for me on all of them. Burt has found disabling Windows Defender works for him on his systems. The only other explanation is we are looking at two separate issues? In my case when the problem shows. Start, Edge and settings do not work and the overall system performance is noticeably slower. After I have clicked on Edge and then right click start to either reboot or shutdown, edge seems to start in a fashion although not responsive which can be said for other applications which are slow to start.

I can only suggest for those who have not logged a case to Sophos then it is in your best interest to do so as I think the more cases they see adds weight to the problem. I still have my case open ( #7862295) and it is escalated. If I see the issue re-occurring when I have the "sign-in info" switch disabled, I'll for sure be in contact with them, but right now they have given me a solution which seems to work for me.

Regards
Kevin